08-03-2022 05:03 AM - edited 08-03-2022 05:28 AM
Hi community. First, I'm studying the ISE so I'm simply a beginner. However I've managede to integrate my NAD's with Tacacs+ and authenticating with AD.
It's a pure lab setup, with a ISE 3.1 and 4 switches, DC, with CA.
Client1 (win10) have their certificate pushed from GPO, and are attached to the if.
client2, printer
Client3 Android device-
All 3 clients have internet access
I'd like to authenticate with Dot1x on the swithport, but after several attempt I still have no endpoints visable in ISE or anything in the live logs. I think it's the sw config, as the endpoints are in device-tracking database on the sw.
it's kind of a big mouthful, but I need start somewhere
ISE31, are in Vlan3 192.168.3.120
Clients are in Vlan2 192.168.2.0/24
DC in vlan2 192.168.2.82 and OSPF are enabled on the switches.
I hope you are able to help
some information to begin with:
The SW 3650 is NOT licensed(could this be a problem?)
labsw2#sh device-tracking database
Binding Table has 6 entries, 5 dynamic (limit 100000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
L 192.168.2.251 00f2.8b47.3d77 Vl2 2 0100 201mn REACHABLE
ARP 192.168.2.231 0021.cc72.70d9 Gi1/0/1 2 0005 5s REACHABLE N/A
ARP 192.168.2.102 b422.0023.3854 Gi1/0/2 2 0005 4mn REACHABLE N/A
ARP 192.168.2.54 0004.4bfb.2253 Gi1/0/3 2 0005 82s REACHABLE N/A
ND FE80::B622:FF:FE23:3854 b422.0023.3854 Gi1/0/2 2 0005 4mn REACHABLE N/A
ND FE80::4467:5437:A836:5A0A 0021.cc72.70d9 Gi1/0/1 2 0005 9mn REACHABLE N/A
labsw2#
labsw2#sh authentication se
labsw2#sh authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/3 0004.4bfb.2253 mab UNKNOWN Auth C0A802FB000000256374F7FD
Gi1/0/1 0021.cc72.70d9 dot1x UNKNOWN Auth C0A802FB0000002763752D71
Gi1/0/2 b422.0023.3854 mab UNKNOWN Auth C0A802FB0000002663750C99
Session count = 3
Key to Session Events Blocked Status Flags:
A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker
labsw2#
labsw2#sh authentication sessions in gi 1/0/1 det
Interface: GigabitEthernet1/0/1
IIF-ID: 0x114136F0
MAC Address: 0021.cc72.70d9
IPv6 Address: fe80::4467:5437:a836:5a0a
IPv4 Address: 192.168.2.231
Status: Authorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 86400s (local), Remaining: 85415s
Common Session ID: C0A802FB0000002763752D71
Acct Session ID: 0x00000005
Handle: 0x9100001d
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_CRITICAL_VOICE_TEMPLATE (priority 150)
Voice Vlan: Vlan: 4096
Service Template: CRITICAL_AUTH_VLAN_Gi1/0/1 (priority 150)
Vlan Group: Vlan: 2
Idle timeout: 65536 sec
Server Policies:
Method status list:
Method State
dot1x Authc Failed
labsw2#
labsw2#sh ver
Cisco IOS XE Software, Version 16.12.05b
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.5b,
ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 4.76, RELEASE SOFTWARE (P)
------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
ipbasek9 Smart License ipbasek9
None Subscription Smart License None
Smart Licensing Status: UNREGISTERED/EVAL EXPIRED
Base Ethernet MAC Address :
Motherboard Assembly Number :
Motherboard Serial Number :
Model Revision Number : K0
Motherboard Revision Number : B0
Model Number : WS-C3650-48PD
System Serial Number :
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 52 WS-C3650-48PD 16.12.05b CAT3K_CAA-UNIVERSALK9 INSTALL
Configuration register is 0x102
labsw2#
Br- Kasper
Solved! Go to Solution.
08-07-2022 01:56 AM
Update.
I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)
Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.
Now I have endpints registering on the fly.
BR. Kasper
08-03-2022 06:34 AM
Hi,
You are missing the command which tells switch which group to be used for Dot1x authentication.
aaa authentication dot1x default group ISE-Radius-group
08-03-2022 07:49 AM
Hi PradeepSingh and thankls for taking the time to help me.
I have entered the command, and by making the policy set a bit "wide" with and default permit access in the end, I was able to get it to authenticate. I still need to set up the policy set for the certificate, but I haven't figured this out yet.
How ever I still don't see any endpoints in ISE?
Br. Kasper
08-07-2022 01:56 AM
Update.
I have played around with the Vmware machines settings, copied it from one to another host, and changed CPU, and RAM settings. I knew I should'nt do that, but I didn't think it mattered so much in an lab enviroment. now we know:-)
Story short, it crashed on a startup one morning. So I reinstalled a new ISE, and changed it to the same VLAN/subnet as my clients.
Now I have endpints registering on the fly.
BR. Kasper
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide