Re: MAB Device Not Renewing VLAN on CoA

sajidabbas · ‎09-03-2017

Hi,

I've seen some topics on the subject but couldn't find proper solution for this.

We have many different types of devices that undergo mab authentication such as printers, IPTV devices, BMS etc. We have open mode running on our switches that provide an initial VLAN which is statically configured on each port. After authentication, Change of VLAN takes place but these devices do not renew their IP address and change as per the VLAN of the port. I've read best practices to configure closed mode for this but we need open mode for other projects and tasks and need a uniform configuration. Any advise on keeping mode open that will force mab devices to renew IP address after authentication is completed.

We have Cisco ISE version 2.0 running with Cisco IA6880.

Thanks

Sajid

Arne Bier · ‎09-03-2017

Hi Sajid

Changing VLAN is one part of the solution - but the trick to getting the clients to get a new IP address on their new VLAN is to cause the interface to do down, and then up again (also called port-bounce). Are you doing that? This is the only way that you can signal to an end device that it has to perform the DHCP DORA (Discovery, Offer, Request, Accept) cycle again.

sajidabbas · ‎09-04-2017

Hi Arne,

Thanks for your response.

I have configured port bounce on ISE, though no globally, but for the specific profile of devices I'm testing on. When the device gets authenticated will I see a log on the switch that port went up/down.

On the switch itself there is a command "authentication command bounce-port ignore", I have tried to enter 'no' before it but it does not get removed. Could this also be preventing port bounce command from ISE?

Issue is still there and deviec does not renew DHCP lease after getting authenticated.

Sajid

Arne Bier · ‎09-11-2017

According to Cisco documentation, you should be able to place a no in front of the command. If it's being ignored then it might be a bug in that version of code.