- Cisco Community
- Technology and Support
- Networking
- Switching
- ISE policy incorrect IP address given to users based on policy
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ISE policy incorrect IP address given to users based on policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2020 06:20 AM - edited 01-06-2020 06:22 AM
Hello All,
I am new to Cisco ISE and our ISE policies were created by a 3rd party. We purchased professional services and all polices were working great up until we turned up a new site and copied the authorization and authentication policies and applied to the users in this office. We have a site now that is routed, not switched, the offices are connected with SD-WAN and its a simple route back to our HQ office. What is happening when ISE policy is applied to a user port is the following below
interface GigabitEthernet2/0/20
mvrp timer leave-all 1000
mvrp timer leave 60
mvrp timer join 20
no mvrp timer periodic
no mvrp
switchport
switchport access vlan 1
switchport private-vlan trunk encapsulation dot1q
switchport private-vlan trunk native vlan tag
switchport mode access
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
no switchport vepa enabled
switchport port-security maximum 65535 vlan voice
no switchport port-security mac-address sticky
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
ip access-group PRE-AUTH in
load-interval 300
carrier-delay 2
no shutdown
no medium p2p
no macsec replay-protection
no macsec
cdp tlv location
cdp tlv server-location
cdp tlv app
ipv6 mld snooping tcn flood
ipv6 redirects
ipv6 unreachables
authentication periodic
authentication timer reauthenticate server
authentication timer unauthorized 0
authentication linksec policy
no access-session interface-template sticky
access-session host-mode multi-auth
access-session control-direction both
no access-session closed
access-session port-control auto
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
mab radius
dot1x pae authenticator
no mka pre-shared-key
mka default-policy
autonomic
arp arpa
arp timeout 14400
channel-group auto
spanning-tree portfast disable
spanning-tree portfast trunk
spanning-tree portfast
spanning-tree port-priority 128
spanning-tree cost 0
ethernet oam max-rate 10
ethernet oam min-rate 1
ethernet oam remote-loopback timeout 2
ethernet oam timeout 5
service-policy type control subscriber ISE-POLICY
hold-queue 2000 in
hold-queue 40 out
ip igmp snooping tcn flood
no ip dhcp snooping information option allow-untrusted
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
The source for RADIUS and TACACS as set to VLAN 195, which is the MGMT address which has been added to ISE
Switch config:
ip tacacs source-interface Vlan195
ip radius source-interface Vlan195
term mon was running, and then a forced shut no shut created all the following logs on an ISE use port
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vlan 1 vp is removed
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] mark_vlan_for_del: mark vlan 1 for del
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Link down
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20]
SB VP errdisable set: clearing errdisable indicator for domain 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20]
SB VP errdisable set: clearing errdisable indicator for domain 2
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] handle_vlan_removal: vlan 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: handle_vlan_removal: marking client for del
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT:
dot1x_switch_lock_client_info: Lock acquired. client info: 0x7F1CAB292348,client_handle 0x6400006D
1d08h: AUTH-FEAT-IAL-ERROR: Received 0 if_num for idb
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT:
dot1x_switch_unlock_client_info: Releasing Lock. client info: 0x7F1CAB292348, client_handle 0x6400006D
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] delete_vlan_on_port: vlan 1 new user count 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: [Gi2/0/20] handle_vlan_removal: vlan 1 NOT removed, even though pending delete set
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Disabling dot1x in switch shim
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Disabling dot1x
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Setting vlan 0 in DATA domain
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Assigning dynamic vlan = 0 on port GigabitEthernet2/0/20
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] dot1x_switch_pm_port_set_vlan: Old and new vlans are same(0) for GigabitEthernet2/0/20
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Setting vlan 0 in VOICE domain
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Assigning dynamic vlan = 0 on port GigabitEthernet2/0/20
Rumack#
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] dot1x_switch_pm_port_set_vlan: Old and new vlans are same(0) for GigabitEthernet2/0/20
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 10.44.160.31, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry State Changed:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_STATE_CHANGE - Ignoring IP release event at link down event
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_STATE_CHANGE - Updated binding_add
Rumack#
*Jan 3 19:43:50: %LINK-5-CHANGED: Interface GigabitEthernet2/0/20, changed state to administratively down
*Jan 3 19:43:51: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/20, changed state to down
Rumack#
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Disabling dot1x
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
Rumack#
*Jan 3 19:44:00: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/20, changed state to down
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Link coming up
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vlan 1 vp is added
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vp link up 1
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM: Forwarding is disabled
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] core_vp_state: VP_FORWARDING vlan 1 domain 1
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] link up deferred handler
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Is domain valid: Voice vlan is invalid
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] apply_flags: auth enabled
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Enabling dot1x in switch shim
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_or_alloc_vlan: Resetting pending delete Flag for vlan 1 New user count 2
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] dot1x enable added vlan data for 1 as access vlan
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Enabling dot1x
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Set dot1x ask handler
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] default_host_access set to 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] core_vp_state: VP_FORWARDING vlan 1 domain 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] update_vp_states: VP state is VP_FORWARDING for Data
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] port set state , vlan 1, state 8
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vp link up deferred handler, vlan 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] vp_comingup: vlan 1, avlan 1, vvlan 4096
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: vp_comingup: ignoring vlan 1 add for non switch client
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_or_alloc_vlan: Updating vlan 1 New user count 3
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] delete_vlan_on_port: vlan 1 new user count 2
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] core_vp_state: VP_FORWARDING vlan 1 domain 1
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] port set state , vlan 1, state 8
Rumack#
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vlan 1 vp is removed
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] mark_vlan_for_del: mark vlan 1 for del
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Link down
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20]
SB VP errdisable set: clearing errdisable indicator for domain 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20]
SB VP errdisable set: clearing errdisable indicator for domain 2
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Disabling dot1x
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] handle_vlan_removal: vlan 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: handle_vlan_removal: skipping client thats already pending delete
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] delete_vlan_on_port: vlan 1 new user count 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: [Gi2/0/20] handle_vlan_removal: vlan 1 NOT removed, even though pending delete set
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Disabling dot1x in switch shim
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Disabling dot1x
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Setting vlan 0 in DATA domain
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Assigning dynamic vlan = 0 on port GigabitEthernet2/0/20
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] dot1x_switch_pm_port_set_vlan: Old and new vlans are same(0) for GigabitEthernet2/0/20
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Setting vlan 0 in VOICE domain
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Assigning dynamic vlan = 0 on port GigabitEthernet2/0/20
Rumack#
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] dot1x_switch_pm_port_set_vlan: Old and new vlans are same(0) for GigabitEthernet2/0/20
Rumack#
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] Link coming up
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vlan 1 vp is added
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vp link up 1
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM: Forwarding is disabled
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] core_vp_state: VP_FORWARDING vlan 1 domain 1
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] link up deferred handler
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Is domain valid: Voice vlan is invalid
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] apply_flags: auth enabled
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Enabling dot1x in switch shim
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_or_alloc_vlan: Resetting pending delete Flag for vlan 1 New user count 2
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] dot1x enable added vlan data for 1 as access vlan
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Enabling dot1x
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] PM Actions: Set dot1x ask handler
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] default_host_access set to 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] core_vp_state: VP_FORWARDING vlan 1 domain 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] update_vp_states: VP state is VP_FORWARDING for Data
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] port set state , vlan 1, state 8
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: Radio Active tracingDebug level for if_id : 0
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] vp link up deferred handler, vlan 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] vp_comingup: vlan 1, avlan 1, vvlan 4096
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: vp_comingup: ignoring vlan 1 add for non switch client
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_or_alloc_vlan: Updating vlan 1 New user count 3
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] delete_vlan_on_port: vlan 1 new user count 2
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 2 fwd count 0, client count 0, pending delete 0
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] core_vp_state: VP_FORWARDING vlan 1 domain 1
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [Gi2/0/20] port set state , vlan 1, state 8
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [408d.5cf1.f9a5, Gi2/0/20] mac addr process not notifying SM vlan 1
Rumack#
*Jan 3 19:44:08: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/20, changed state to up
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 10.44.160.31, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry State Changed:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_STATE_CHANGE - Updated binding_add
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Binding Remove Notify:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: ifhdl -- 91 ifindex -- 91
1d08h: AUTH-FEAT-SISF-EVENT: IP update for MAC 408d.5cf1.f9a5. New IP 10.44.160.31
Rumack#
1d08h: AUTH-FEAT-SISF-EVENT: IPv4 ID relaese notify success for idb 0x7F1CAA773C50, MAC 408d.5cf1.f9a5
Rumack#
*Jan 3 19:44:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/20, changed state to up
Rumack#
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 10.44.160.31, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry State Changed:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_STATE_CHANGE - Updated binding_add
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Binding Add Notify:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: ifhdl -- 91 ifindex -- 91
1d08h: AUTH-FEAT-SISF-EVENT: IP update for MAC 408d.5cf1.f9a5. New IP 10.44.160.31
1d08h: AUTH-FEAT-SISF-EVENT: IPv4 ID update notify success for idb 0x7F1CAA773C50, MAC 408d.5cf1.f9a5
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 10.44.160.31, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry Created:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_CREATED - Made binding_add as TRUE
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Binding Add Notify:(Gi2/0/20 10.44.160.31 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: ifhdl -- 91 ifindex -- 91
Rumack#
1d08h: AUTH-FEAT-SISF-EVENT: IP update for MAC 408d.5cf1.f9a5. New IP 10.44.160.31
1d08h: AUTH-FEAT-SISF-EVENT: IPv4 ID update notify success for idb 0x7F1CAA773C50, MAC 408d.5cf1.f9a5
Rumack#
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 192.169.0.201, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry Created:(Gi2/0/20 192.169.0.201 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 192.169.0.201, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry State Changed:(Gi2/0/20 192.169.0.201 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_STATE_CHANGE - Updated binding_add
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Parameters: idb = Gi2/0/20, addr = 192.169.0.201, mac = 408d.5cf1.f9a5, vlan = 1
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Entry State Changed:(Gi2/0/20 192.169.0.201 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF_DB_ENTRY_STATE_CHANGE - Updated binding_add
1d08h: AUTH-FEAT-SISF-EVENT: [408d.5cf1.f9a5, Gi2/0/20] SISF Shim Binding Add Notify:(Gi2/0/20 192.169.0.201 408d.5cf1.f9a5 1)
1d08h: AUTH-FEAT-SISF-EVENT: ifhdl -- 91 ifindex -- 91
1d08h: AUTH-FEAT-SISF-EVENT: IP update for MAC 408d.5cf1.f9a5. New IP 192.169.0.201
Rumack#
1d08h: AUTH-FEAT-SISF-EVENT: IPv4 ID update notify success for idb 0x7F1CAA773C50, MAC 408d.5cf1.f9a5
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] vlan_plugin: start-fn called for idb Gi2/0/20 mac 408d.5cf1.f9a5 domain 1 vlan_group vlan 0 is cvv 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: could not find vlan data for vlan 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] client_set_vlan: client vlan = 0, domain = 1
1d08h: AUTH-FEAT-SWITCH-CORE-ERROR: [408d.5cf1.f9a5, Gi2/0/20] client_set_vlan: client look up failedclient_info 0x0, vlan 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] apply_vlan: 408d.5cf1.f9a5 assigned vlan 0, rc = success
1d08h: AUTH-FEAT-IAL-EVENT: [Gi2/0/20] mac_seen flag value set to 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: disconnect_notif_cb: client id 0x00000001
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] delete_vlan_on_port: vlan 1 new user count 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: delete client struct with id = 0x6400006D
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT:
Del client info: Removed client_info 0x7F1CAB292348, client_handle 0x6400006D
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] auth_param_change: control enabled 1 cdp bypass enabled 0 static allow 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] auth_param_change: notify 1 oper allow 1 authorized 0 for DATA
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] auth_param_change: notify 1 oper allow 1 authorized 0 for VOICE
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Is domain valid: Voice vlan is invalid
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: static_allow=1 DATA:notify=1 oper_allow=1 VOICE:notify=1 oper_allow=1 cdp_bypass=0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] get_default_host_access: returning permit
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [408d.5cf1.f9a5, Gi2/0/20] Notified new mac on vlan 1 to SM
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] start_session_mgr_event: posting start event to smd, vlan 1
1d08h: AUTH-FEAT-IAL-EVENT: [408d.5cf1.f9a5, Gi2/0/20] New LL Mac: 408d.5cf1.f9a5 from Switch PI
1d08h: AUTH-FEAT-IAL-ERROR: Received 0 if_num for idb
1d08h: AUTH-FEAT-IAL-EVENT: [Gi2/0/20] mac_seen flag value set to 1
1d08h: AUTH-FEAT-SISF-EVENT: NewClient: Found IPv4 binding for 408d.5cf1.f9a5(0x00000000) - 10.44.160.31
1d08h: AUTH-FEAT-SISF-ERROR: [408d.5cf1.f9a5] Invalid ipv6 binding entry returned for (0x00000000)
1d08h: AUTH-FEAT-SISF-ERROR: [408d.5cf1.f9a5] Invalid ipv6 binding entry returned for (0x00000000)
1d08h: AUTH-FEAT-IAL-EVENT: New Client CB returned client_handle = 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] new_client_cb: domain 1, iif_id 0x14EDBC9A vlan 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: client struct with id = 0x9800006E created for 408d.5cf1.f9a5
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: found vlan 1, user count 1 fwd count 0, client count 0, pending delete 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_or_alloc_vlan: Updating vlan 1 New user count 2
1d08h: AUTH-FEAT-IAL-ERROR: Received 0 if_num for idb
1d08h: AUTH-FEAT-IAL-ERROR: Received 0 if_num for idb
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: new_client_cb: removed pre_auth_vlan 1 from smd successful
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] auth_param_change: control enabled 1 cdp bypass enabled 0 static allow 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] auth_param_change: notify 1 oper allow 1 authorized 0 for DATA
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] auth_param_change: notify 1 oper allow 1 authorized 0 for VOICE
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] Is domain valid: Voice vlan is invalid
1d08h: AUTH-FEAT-IAL-EVENT: New Client CB returned client_handle = 2550136942
1d08h: AUTH-FEAT-IAL-EVENT: New Client CB returned client_handle = 1
1d08h: AUTH-FEAT-IAL-EVENT: New Client CB returned client_handle = 1
1d08h: AUTH-FEAT-IAL-EVENT: New Client CB returned client_handle = 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: client id 0x00000001
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: start_resp cb called for switchpi with result: 0
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: Session [0x7500006E] Creation Successful
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: client id 0x00000001
1d08h: AUTH-FEAT-SWITCH-PM-EVENT: [408d.5cf1.f9a5, Gi2/0/20] mac addr process not notifying SM vlan 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: client id 0x00000001
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: client id 0x00000001
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: updating DOMAIN for client from DATA to DATA
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: Update domain for client, old 1 new 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: client id 0x00000001
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [00cc.fc42.159b, Gi1/0/1] cdp delete notify
Rumack#
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] vlan_plugin: start-fn called for idb Gi2/0/20 mac 408d.5cf1.f9a5 domain 1 vlan_group vlan 0 is cvv 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [Gi2/0/20] find_vlan_on_port: could not find vlan data for vlan 0
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] client_set_vlan: client vlan = 0, domain = 1
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: client_set_vlan: cannot remove vlan before assignment
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: [408d.5cf1.f9a5, Gi2/0/20] apply_vlan: 408d.5cf1.f9a5 assigned vlan 0, rc = success
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: attr_change_cb: client id 0x00000001
1d08h: AUTH-FEAT-SWITCH-CORE-EVENT: unauthorize_cb: client id 0x00000001, port_opened 0x0
Rumack#
*Jan 3 19:45:05: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (408d.5cf1.f9a5) on Interface GigabitEthernet2/0/20 AuditSessionID 0C00FF0A000000786CF0006B. Failure Reason: ACL Failure. Failed attribute name xACSACLx-IP-VLAN160_BOS-5e0f9491.
*Jan 3 19:45:05: %DOT1X-5-RESULT_OVERRIDE: Switch 1 R0/0: sessmgrd: Authentication result overridden for client (408d.5cf1.f9a5) on Interface Gi2/0/20 AuditSessionID 0C00FF0A000000786CF0006B
Logs from Anyconnect Network access manager
9:29:20 AM Searching for a Network
9:29:20 AM wired : Authenticating
9:29:32 AM wired : Acquiring IP Address
9:29:32 AM wired : Authenticating
9:30:56 AM wired : Limited or no connectivity
9:30:56 AM wired : Authenticating
9:33:06 AM wired : Acquiring IP Address
9:33:09 AM wired : Connected (192.169.0.116) - incorrect based on AD group user is in
9:33:09 AM wired : Connected (10.44.160.12)- correct address, but limited/no connection.
9:38:31 AM wired : Authenticating
9:39:07 AM wired : Acquiring IP Address
9:39:12 AM wired : Connected (10.44.160.12)
9:39:12 AM wired : Connected (192.169.0.116)
9:40:41 AM wired : Authenticating
9:40:41 AM wired : Limited or no connectivity
9:41:11 AM Searching for a Network
9:41:11 AM wired : Authenticating
9:41:17 AM wired : Acquiring IP Address
9:41:17 AM wired : Connected (192.169.0.116)
9:41:41 AM wired : Authenticating
This is the ISE config applied to ALL switches
Exec Mode:
authentication display new-style
Config Mode:
aaa new-model
radius server ISE1
address ipv4 10.40.96.69 auth-port 1812 acct-port 1813
key
!
radius server ISE2
address ipv4 10.40.96.70 auth-port 1812 acct-port 1813
key
!
ip radius source-interface vlan 40- this is changed to VLAN 195 for site in question
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication
radius-server dead-criteria time 5 tries 3
radius-server retry method reorder
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 15
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting dot1x default start-stop group ISE
aaa session-id common
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 10.40.96.16 server-key 0
client 10.40.96.17 server-key 0
!
!
authentication critical recovery delay 1000
!
===========================================
no access-session mac-move deny
===========================================
!
dot1x system-auth-control
!
service-template CRITICAL-ACCESS-VOICE
voice vlan
access-group CRITICAL-AUTH
service-template CRITICAL-ACCESS
access-group CRITICAL-AUTH
!
lldp run
!
class-map type control subscriber match-all CRITICAL-AUTHENITICATED-HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all CRITICAL-UNAUTHENITICATED-HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X-NO-RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-any IN-CRITICAL-AUTH
match activated-service-template CRITICAL-ACCESS
match activated-service-template CRITICAL-ACCESS-VOICE
!
class-map type control subscriber match-all MAB-FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-none NOT-IN-CRITICAL-AUTH
match activated-service-template CRITICAL-ACCESS
match activated-service-template CRITICAL-ACCESS-VOICE
!
!
policy-map type control subscriber ISE-POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
10 class CRITICAL-UNAUTHENITICATED-HOST do-until-failure
20 activate service-template CRITICAL-ACCESS-VOICE
25 activate service-template CRITICAL-ACCESS
30 authorize
40 pause reauthentication
20 class CRITICAL-AUTHENITICATED-HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X-NO-RESP do-until-failure
10 terminate dot1x
20 authentication-restart 60
40 class MAB-FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
50 class DOT1X-FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
60 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x priority 10
event aaa-available match-all
10 class IN-CRITICAL-AUTH do-until-failure
10 clear-session
20 class NOT-IN-CRITICAL-AUTH do-until-failure
10 resume reauthentication
!
ip access-list extended CRITICAL-AUTH
permit ip any any
!
ip access-list extended PRE-AUTH
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark Deny everything else
deny ip any any
!
ip access-list extended WEBAUTH-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny tcp any host 10.40.96.16 eq 8443
deny tcp any host 10.40.96.17 eq 8443
permit tcp any any eq 80
permit tcp any any eq 443
!
ip access-list extended POSTURE-REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host 10.40.96.16 eq 8905
deny udp any host 10.40.96.17 eq 8905
deny tcp any host 10.40.96.16 eq 8905
deny tcp any host 10.40.96.17 eq 8905
deny tcp any host 10.40.96.16 eq 8909
deny tcp any host 10.40.96.17 eq 8909
deny udp any host 10.40.96.16 eq 8909
deny udp any host 10.40.96.17 eq 8909
deny tcp any host 10.40.96.16 eq 8443
deny tcp any host 10.40.96.17 eq 8443
permit tcp any any eq 80
permit tcp any any eq 443
!
device-sensor filter-list dhcp list dhcp_list
option name host-name
option name domain-name
option name default-ip-ttl
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-list lldp list lldp_list
tlv name system-name
tlv name system-description
tlv name system-capabilities
device-sensor filter-list cdp list cdp_list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
device-sensor filter-spec dhcp include list dhcp_list
device-sensor filter-spec lldp include list lldp_list
device-sensor filter-spec cdp include list cdp_list
device-sensor notify all-changes
aaa accounting network default start-stop group ISE
access-session accounting attributes filter-list list ISE-SENSOR
protocol cdp
protocol lldp
protocol dhcp
access-session accounting attributes filter-spec list ISE-SENSOR
!
ip http server
ip http secure-server
ip http active-session-modules none
ip http secure-active-session-modules none
********************************************************************
interface GigabitEthernet 2/0/20
switchport host
ip access-group PRE-AUTH in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
service-policy type control subscriber ISE-POLICY
********************************************************************
TACACS CONFIG
aaa new-model
tacacs server ISE1-TACACS
address ipv4 10.40.96.69
key
single-connection
tacacs server ISE2-TACACS
address ipv4 10.40.96.70
key
single-connection
!
aaa group server tacacs ISE-TACACS
server name ISE1-TACACS
server name ISE2-TACACS
aaa authentication login CONSOLE local-case
aaa authorization exec CONSOLE local
aaa authentication login default group ISE-TACACS local-case
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE-TACACS local if-authenticated
aaa authorization commands 15 default group ISE-TACACS local if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
aaa accounting connection default start-stop group ISE-TACACS
line con 0
authorization exec CONSOLE
logging synchronous
login authentication CONSOLE
!
line vty 0 15
logging synchronous
Any help on this would be great
- Labels:
-
Other Switches
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
