Can t obtain IP address

HAT · ‎05-02-2023

Hi All

I have successfully managed to authenticate and authorize a device ( printer) via MAB but it s failing to obtain an IP address from the DHCP Server .

This is a wired setup using a Cisco 9300 switches and I can confirm that the foundational network setup is correct as I have managed to successfully configure and obtain an IP address from other devices via mab .

As per the below packet capture the authentication is successful but with no IP address .

Can somebody please assist ?

Thanks in advance

PabMar · ‎05-02-2023

Hi,

Have a read at this document for DHCP in the SDA Fabric.

Make sure that VN has reachability to the DCHP server and the DHCP server leaves the option 82 untouched.

Regards.

Flavio Miranda · ‎05-02-2023

Hi

If you remove authentication on this port, are you able to get an IP address? Or if you plug a laptop or any other device?

HAT · ‎05-02-2023

Thanks for the reply . I ll give it a try and get back to you

HAT · ‎05-13-2023

With no authentication , it s works fine . As per the screenshot above , it s been authenticated and authorized fine but failing at getting an IP address . Will look into the DHCP settings . Thanks

Flavio Miranda · ‎05-13-2023

I dont believe it would be anything DHCP related. If you dropped the auth and it gets an IP address, which means connectivity and configuration is all OK.

The problem should be related to the authentication. Keep in mind that when using dot1x or MAB, first the device must authenticate and after that It gets an IP address. I would check on the ISE side. specially on the policy you are passing down to the device. You are probably blocking the traffic after the successfully authentication. Either you need to send some ACL permiting or you are sending some ACL and not permiting.

Edson A. Hernandez · ‎05-02-2023

1) Verify that the printer is configured to obtain an IP address via DHCP.

2) Check the DHCP server logs to see if there are any errors or issues related to the printer's requests for an IP address.

3) Ensure that the printer is on the correct VLAN and that the DHCP server is configured to assign IP addresses for that VLAN.

4) Check the switch configuration to ensure that the switch ports are configured correctly for the printer and that there are no VLAN or port access issues.

5) If the issue persists, try assigning a static IP address to the printer to see if that resolves the issue.

**Remember to support with a like to keep the community active***
**Please, if the information was helpful, mark this answer as correct.***

HAT · ‎05-02-2023

Thanks for all the suggestions , I ll go through them and let you know.

Tomas de Leon · ‎05-13-2023

I have attached a presentation from last years Cisco Live which may help. Since you mention that Authentication works and it looks like the the vlan is set to 1031, it looks like the ISE part is working if you are assigning dynamically via the MAC address.

*** THINGS TO LOOK AT ON THE EDGE WHEN TROUBLESHOOTING DHCP FOR CLIENTS

sh vrf | inc VN|LI0.4
sh run int Vl10xx | inc helper

sh run int Vl1031 | inc helper
lig instance-id 4101 192.168.211.213

For example:

EDGE# sh vrf | inc VN|LI0.4

RTP_VOICE_VN <not set> ipv4 Vl1031
LI0.4101

EDGE# sh run int Vl1031 | inc helper
ip helper-address 192.168.211.213

EDGE# lig instance-id 4102 192.168.211.213
Mapping information for EID 192.168.211.213 from 192.168.0.202 with RTT 1 msecs
192.168.211.0/24, uptime: 6d23h, expires: 23:59:59, via map-reply, complete
Locator Uptime State Pri/Wgt Encap-IID
192.168.0.201 6d23h up 10/10 -
192.168.0.202 6d23h up 10/10 -

- Run a wireshark on the DHCP Server (192.168.211.213)
- Reboot the device on the Edge Port
- Does the DHCP server see the DHCP Discover
- Does the DHCP server respond with a DHCP Offer

Look at the details of the Offer and make sure it is being sent back to the correct Edge

andy!doesnt!like!uucp · ‎05-13-2023

debug dhcp detail on the FE