10-11-2018 12:34 AM - edited 03-08-2019 04:21 PM
Hi,
I'm experiencing problem with different types of hardware not getting the ACS ACL downloaded from ISE.
I don't know when it happened, possible that it appeared during some latest IOS upgrades, but not sure.
- The problem seems to appear on machines/hardware which do not send DHCP REQ's/ARPing etc.
I've tried upgrading the Switch Hardware; c3750e-universalk9-mz.152-4.E7.bin (No success)
Running IOS; c3750e-universalk9-mz.152-4.E6.bin
ISE version;
Version: 1.4.0.253
Patch Information: 3
The dACL accesslist that is getting downloaded;
Extended IP access list xACSACLx-IP-dACL-MA-STORES-XXX-5bbdbe17 (per-user)
1 permit ip any 90.212.188.64 0.0.0.63
2 permit ip any 90.212.188.128 0.0.0.127
3 permit ip any 90.208.148.64 0.0.0.63
4 permit udp any host 15.80.5.21 eq domain
5 permit udp any host 15.56.23.21 eq domain
6 permit udp any host 15.60.13.21 eq domain
7 permit udp any host 15.62.0.64 eq domain
8 permit udp any host 15.62.0.65 eq domain
9 permit icmp any any
10 deny ip any any log
I've found a workaround by do a ICMP towards the hardware from the CPE-Router on the same network. But it hasn't been evaluated for weeks now so not sure if it's solid and its not a working workaround due to the ammount of devices.
Working authentication interface information Status;
SEXXX-AAAXXX-AAAA-SW01#show authentication sessions interface gigabitEthernet 1/0/1 det
Interface: GigabitEthernet1/0/1
MAC Address: 000f.b605.0000
IPv6 Address: Unknown
IPv4 Address: 10.50.133.38
User-Name: 00-0F-B6-05-00-00
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 000000000000001703676C8B
Acct Session ID: 0x0000000D
Handle: 0x7E00000B
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Name: MA-STORES-XXX, Vlan: 570
ACS ACL: xACSACLx-IP-dACL-MA-STORES-XXX-5bbdbe17
Method status list:
Method State
dot1x Stopped
mab Authc Success
Not working authentication interface information Status;
SEXXX-AAAXXX-AAAA-SW01#show authentication sessions interface gigabitEthernet 1/0/1 det
Interface: GigabitEthernet1/0/1
MAC Address: 000f.b605.0000
IPv6 Address: Unknown
IPv4 Address: 10.50.133.38
User-Name: 00-0F-B6-05-00-00
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 000000000000001703676C8B
Acct Session ID: 0x0000000D
Handle: 0x7E00000B
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Name: MA-STORES-XXX, Vlan: 570
<--------- THIS LINE IS MISSING ----------------- >
Method status list:
Method State
dot1x Stopped
mab Authc Success
#Switchport configuration are;
interface GigabitEthernet1/0/1
description Switchport1
switchport mode access
switchport protected
switchport block unicast
ip arp inspection limit rate 20
load-interval 30
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 2
dot1x timeout supp-timeout 20
dot1x timeout held-period 300
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 20
#Global configuration that could be related (IPDT)
ip device tracking probe count 5
ip device tracking probe delay 30
10-11-2018 01:43 AM
Hello,
hard to say what is causing this. Is it an option to configure a port with just the basic config:
interface GigabitEthernet1/0/1
description Switchport1
switchport mode access
spanning-tree portfast edge
and then add the other config parts one by one, in order to find out if any of the other lines applied to the switchport are causing this ?
10-11-2018 01:59 AM
Possible in a theoretical way, but i'm quite sure it's related to IP device tracking service, but not sure what to do about it due to that we only experience problem with two types of devices and it's only obscure devices.
07-15-2019 07:26 AM
Just to get back with some information after problem troubleshooting.
We tried everthing and still haven't solved it.
But the device is obscure, 10mbit/half-duplex, very old hardware etc. Feels like some kind of ARP issue of the device itself.
A workaround we found out were to setup monitoring service and send ICMP echo request to get the device to always be alive and also to response from network abroad, in that case it did get a dACL.
Very strange, i will try get back if we ever found a root cause of this.
(The hardware is some kind of IP-alarm module/node)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide