Introduction:
This Document discuss some common issues which user face on daily basis.
Operating Condition:
This issue applies to standard user authorization sessions in a wired environment.
Issue:
DHCP traffic is getting blocked.
Possible Cause:
The preauthorization ACL could be blocking DHCP traffic.
Possible Resolution:
- Ensure that the Cisco IOS release on the switch is equal to or more recent than the Cisco IOS Release 12.2.(53)SE.
- Ensure that the identity group conditions are defined appropriately.
- Check for the client machine port VLAN by using show vlan on the access switch. If the port is not showing the correct authorization profile VLAN, ensure that VLAN enforcement is appropriate to reach out to the DHCP server. If the VLAN is correct, the preauthorization ACL could be blocking DHCP traffic. Ensure that the preauthorization DACL is as follows:
- This is for URL redirect
- This is for guest portal
- This is for posture communication between NAC agent and ISE (Swiss ports)
- This is for posture communication between NAC agent and ISE (Swiss ports)
- This is for posture communication between NAC agent and ISE (Swiss ports)
- Ensure the session is created on the switch by entering show epm session summary. If the IP address of the session shown is "not available," ensure that the following configuration lines appear on the switch:
ip dhcp snooping vlan 30-100
ip device tracking