Solved: Re: SW C3750 Logs authentication ISSUE

servicios_ciscon2 · ‎07-07-2020

Hi!

Using ISE 2.4 & Switch Cisco Catalyst 3750.

I have a client (computer) in my network that days ago flashing occurred in the ethernet service but it only happened in this host , I had to configure the command " authentication open" in the interface to it could authenticate correctly, but in the switch the flollowing logs appears:

Jul 6 10:20:13.418: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID AC11851000001D6D116C3FE5| EVENT APPLY

Jul 6 10:20:14.435: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID | EVENT APPLY (SW_16-2)

Jul 6 10:20:14.443: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID | EVENT APPLY (SW_16-3)

Jul 6 10:20:14.426: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID | EVENT APPLY (SW_16-4)

Jul 6 10:22:20.149: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID AC11851000001D6E116E5B7C| EVENT APPLY

Jul 6 10:22:21.443: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID | EVENT APPLY (SW_16-2)

Jul 6 10:22:21.443: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID | EVENT APPLY (SW_16-3)

Jul 6 10:22:21.443: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 6041.785c.ad11| AuditSessionID | EVENT APPLY (SW_16-4)

I am very beginning in authentication configuration topics and I only read about that %EPM-6-POLICY it could be something related with the Enforcement Policy Module (EPM) and part of the log can be correlated inside Cisco ISE but I´m not sure. I checked in the ISE but there are not logs about warning o something else about the MAC of that device.

This event only happen in this host not in any other that is assigned to the same vlan.

There is the interface configuration:

interface GigabitEthernet1/0/5
description Datos9
switchport access vlan 9
switchport mode access
switchport nonegotiate
switchport voice vlan 915
srr-queue bandwidth share 10 80 5 5
priority-queue out
no cdp enable
authentication event server dead action authorize
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication violation protect
mls qos trust cos
dot1x pae authenticator
dot1x max-req 5
no mdix auto
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 10
end

If I misconfigure the "authentication open command" the host not have red.

Can someone please help me and tell me if there a problem with the client (computer) or in ISE/Switch?

Thanks

pieterh · ‎07-09-2020

authentication open means allow access even when authentication (first A) and Authorization (second A) fails.

this log is about "audit", which is the last "A" in AAA

So I don't think you are looking at the right log entries., there must be other logs before this that can indicate why the host is not allowed access.

If this is a server host it may have a NIC where a management card (ILO, CIMC, iDRAC) shares the same physical connector with a data-interface?

which results in two MAC addresses used on the same port.

try changeing Multiple Domain Authentication into Multiple Authentication

View solution in original post

pieterh · ‎07-09-2020