12-17-2019 07:29 AM
Seeing an issue on 4000IE switches, and others, with Identity Services Engine authentication setup not learning the mac address of the client. Running 152-4.EA9 on 4k switch with auth config below.
Suspect devices not permitted to talk on network until authenticated but with switch port not learning MAC of client then that never occurs. Dont want to start statically assigning address's to ports and the security team would like all ports to be authenticated. Anyone else seeing this issue?
"authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3"
12-17-2019 07:36 AM
- For starters check the relevant authentication logs on ISE and check what happens when the client tries to authenticate.
M.
12-17-2019 08:22 AM
Mark, the switch port never learns the MAC address and hence no authentication is performed. ISE never gets the request to authenticate the port. If I force switch to learn MAC via alternate methods, ie static assignment, ISE performs as expected.
The switchport sees the device is connected in that the port comes up but never learns the client MAC address.
12-17-2019 09:23 AM
- You are using quite a lot of port-options (settings); you should kind of tree-walk the 'settings-tree' either top-down or bottom up, to see 'from where' the problems start (e.g.).
M.
09-12-2023 09:07 AM
Hi ,
i have this issue also what was the problem?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: