Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ISE - IP does not show UP - Endpoint not getting IP

Kalimoz
Level 1
Level 1

‎11-12-2020 11:25 AM - edited ‎11-12-2020 11:31 AM

Hello all,

I'm having a hugeee struggle within ISE (i think the problem is with ISE). Everytime an endpoint connects via WIRED MAB it goes to their respective policy, and then to the authorization.

 

It goes like this

PC ---> SWITCH ----> ISE (Policy MAB -> Authentication Default Internal Endpoints -> Authorization Switch X, Location Z -> Profile Vlan 244)

I have no problems with that since after the PC connects it goes straight to that Policy and it goes to VLAN 244

 

My problem is im not getting any IP address given to the endpoint, and in the LIVE LOGS i don't get the IP in the TAB IP Address

 

SWITCH#sh authentication sessions int gi0/16
Interface: GigabitEthernet0/16
MAC Address: 18a9.0598.f631
IP Address: Unknown
User-Name: 18-A9-05-98-F6-31
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 244
ACS ACL: xACSACLx-IP-PERMIT_ANY-5fad6532
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AC31DFC0000002743AE10BE
Acct Session ID: 0x00000034
Handle: 0xAC000027

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

 

SWITCH CONFIG

aaa group server radius ISE
server 10.194.224.21 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
!
ip radius source-interface
!
radius-server host 10.194.224.21 auth-port 1812 acct-port 1813
!
radius-server key XXXXXXX

!

dot1x system-auth-control
dot1x critical eapol

!

ip device tracking probe delay 10

!

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria tries 2
radius-server key XXXXXXX
radius-server vsa send authentication
radius-server vsa send accounting

!

Interface GI0/16

switchport mode access

authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3

!

 

What i'm missing here?

1 person had this problem
0 Helpful
Who Me Too'd this topic