Do people generally enable automatic re-authentication? I am having issues with re-authentication overnight when users are not logged in to their machines. They come in the next morning to find their machine authenticated but unauthorized. I am running in closed mode, so they don't get an IP address at that point. Thanks.
Thanks Michael. I ended up disabling the reauth earlier because the issue was just too random and I didn't have time for a deep dive.
But I am doing just MAB currently. They were authenticated, but not authorized because the DACL wasn't getting applied because they weren't getting an IP address. Since I'm running in closed mode, they weren't getting an IP address that could be applied to the DACL, so it was a double issue. No IP, no DACL.
Do you have the pre-auth ACL on the switchport? And is it allowing DNS and DHCP?
DHCP requests are sent prior to ISE coming into play.
Additionally, the DACL has nothing to do with the IP address of the machine, DACL is strictly between switch and ISE. However i do see what you're getting at with the DACL not having the IP of the machine.
If there is no IP, i would start with checking the pre-auth ACL on the switch, and the DACL that is applied to the MAB sessions.
I am running in closed mode, so there is not a pre-auth DACL on the port. I guess I could put one that allowed DHCP, but the main reason I moved to closed mode is because I'm doing a lot of dynamic VLAN assignment, and having DHCP allowed would cause issues with clients who need to have their VLAN changed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...