Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Cisco ISE 2.4 static IP assigned devices problem

azerturkbank1
Level 1
Level 1

‎12-17-2019 10:08 PM

ISE ver 2.4 patch 10

I have implemented dot1x and MAB only deployment.

dot1x works well over certificate, profiling with the dynamic IP assigned devices also works well(exp. IP phones)

There are several devices we are obliged to assign static IP, like NVRs or Fingerprint devices.

These devices are statically profiled based on mac and IP address( exp.if mac aaa.aaa.aaa and IP is x.x.x.x then profile NVR1)

if port is not set to close mode(authentication open), device is authenticated after a while. Even it is in open mode, if I shut/no shut the port, device again stays in unauthorized state for a while. After a period of time, ISE again authenticate this device.

But if I put the port to close mode, device is never authenticated.

#aaa confi

aaa group server radius ISE-Group
server name ISE1
server name ISE2
!
aaa authentication login console local
aaa authentication login vty local
aaa authentication enable default enable
aaa authentication dot1x default group ISE-Group
aaa authorization exec default local
aaa authorization exec vty local
aaa authorization network default group ISE-Group
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-Group

 

##Port config

interface GigabitEthernet1/0/6
description NVR1
switchport access vlan 4
switchport mode access
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation replace

ip device tracking probe delay 10
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast edge
spanning-tree bpduguard enable

#radius config
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 10 tries 3
radius-server retry method reorder
radius-server retransmit 1
radius-server timeout 3

 

ip device tracking is also enabled. 

in open mode, I can see the ip and mac binding in the device tracking database, however, if I change it to close mode, it is vanished.

Do you have any idea?

Thank you in advance!

 

1 person had this problem
0 Helpful
Who Me Too'd this topic