Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
5
Helpful
3
Replies

ISE3.1 shows no endpoints

Go to solution
Kasper Elsborg
Level 1
Level 1

‎08-03-2022 05:03 AM - edited ‎08-03-2022 05:28 AM

Hi community. First, I'm studying the ISE so I'm simply a beginner. However I've managede to integrate my NAD's with Tacacs+ and authenticating with AD.

It's a pure lab setup, with a ISE 3.1 and 4 switches, DC, with CA.

Client1 (win10) have their certificate pushed from GPO, and are attached to the if.

client2, printer

Client3 Android device-

All 3 clients have internet access

I'd like to authenticate with Dot1x on the swithport, but after several attempt I still have no endpoints visable in ISE or anything in the live logs. I think it's the sw config, as the endpoints are in device-tracking database on the sw.

it's kind of a big mouthful, but I need start somewhere

ISE31, are in Vlan3 192.168.3.120

Clients are in Vlan2 192.168.2.0/24

DC in vlan2 192.168.2.82 and OSPF are enabled on the switches.

I hope you are able to help

some information to begin with: 

The SW 3650 is NOT licensed(could this be a problem?)

 

 

 

 

 

labsw2#sh device-tracking database 
Binding Table has 6 entries, 5 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match     0002:Orig trunk            0004:Orig access           
0008:Orig trusted trunk    0010:Orig trusted access   0020:DHCP assigned         
0040:Cga authenticated     0080:Cert authenticated    0100:Statically assigned   


    Network Layer Address               Link Layer Address Interface        vlan prlvl  age   state     Time left        
L   192.168.2.251                           00f2.8b47.3d77  Vl2               2  0100  201mn REACHABLE                   
ARP 192.168.2.231                           0021.cc72.70d9  Gi1/0/1           2  0005    5s  REACHABLE  N/A              
ARP 192.168.2.102                           b422.0023.3854  Gi1/0/2           2  0005    4mn REACHABLE  N/A              
ARP 192.168.2.54                            0004.4bfb.2253  Gi1/0/3           2  0005   82s  REACHABLE  N/A              
ND  FE80::B622:FF:FE23:3854                 b422.0023.3854  Gi1/0/2           2  0005    4mn REACHABLE  N/A              
ND  FE80::4467:5437:A836:5A0A               0021.cc72.70d9  Gi1/0/1           2  0005    9mn REACHABLE  N/A              

labsw2#

labsw2#sh authentication se
labsw2#sh authentication sessions 
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi1/0/3                  0004.4bfb.2253 mab     UNKNOWN Auth        C0A802FB000000256374F7FD
Gi1/0/1                  0021.cc72.70d9 dot1x   UNKNOWN Auth        C0A802FB0000002763752D71
Gi1/0/2                  b422.0023.3854 mab     UNKNOWN Auth        C0A802FB0000002663750C99

Session count = 3

Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

labsw2#
labsw2#sh authentication sessions in gi 1/0/1 det
            Interface:  GigabitEthernet1/0/1
               IIF-ID:  0x114136F0
          MAC Address:  0021.cc72.70d9
         IPv6 Address:  fe80::4467:5437:a836:5a0a
         IPv4 Address:  192.168.2.231
               Status:  Authorized
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
  Acct update timeout:  86400s (local), Remaining: 85415s
    Common Session ID:  C0A802FB0000002763752D71
      Acct Session ID:  0x00000005
               Handle:  0x9100001d
       Current Policy:  POLICY_Gi1/0/1


Local Policies:
        Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
           Voice Vlan:  Vlan: 4096
        Service Template: CRITICAL_AUTH_VLAN_Gi1/0/1 (priority 150)
           Vlan Group:  Vlan: 2
         Idle timeout: 65536 sec

Server Policies:


Method status list:
       Method           State
        dot1x           Authc Failed

labsw2#

labsw2#sh ver
Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b, 
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.76, RELEASE SOFTWARE (P)

------------------------------------------------------------------------------
Technology-package                                     Technology-package
Current                        Type                       Next reboot  
------------------------------------------------------------------------------
ipbasek9                Smart License                    ipbasek9            
None                    Subscription Smart License       None                          


Smart Licensing Status: UNREGISTERED/EVAL EXPIRED



Base Ethernet MAC Address          : 
Motherboard Assembly Number        :
Motherboard Serial Number          : 
Model Revision Number              : K0
Motherboard Revision Number        : B0
Model Number                       : WS-C3650-48PD
System Serial Number               : 

          
Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 52    WS-C3650-48PD      16.12.05b         CAT3K_CAA-UNIVERSALK9 INSTALL


Configuration register is 0x102

labsw2#

 

 

 

 

 

  Br- Kasper

Preview file
53 KB
Preview file
104 KB
Preview file
217 KB
Preview file
457 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kasper Elsborg
Level 1
Level 1

‎08-07-2022 01:56 AM

Update.

I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)

Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.

Now I have endpints registering on the fly.

BR. Kasper

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
PradeepSingh
Level 1
Level 1

‎08-03-2022 06:34 AM

Hi,

 

You are missing the command which tells switch which group to be used for Dot1x authentication.

aaa authentication dot1x default group ISE-Radius-group

 

Go to solution
Kasper Elsborg
Level 1
Level 1

‎08-03-2022 07:49 AM

Hi PradeepSingh and thankls for taking the time to help me.

I have entered the command, and by making the policy set a bit "wide" with and default permit access in the end, I was able to get it to authenticate. I still need to set up the policy set for the certificate, but I haven't figured this out yet.

How ever I still don't see any endpoints in ISE?

Br. Kasper

Preview file
314 KB
Preview file
155 KB
0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1

‎08-07-2022 01:56 AM

Update.

I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)

Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.

Now I have endpints registering on the fly.

BR. Kasper

 

0 Helpful
Customers Also Viewed These Support Documents