Hello, I am running closed mode on my switchports. I have an issue where some clients come in in the morning, try to login, and will not get network access. I see that this is because they do not get an IP address. I am using MAB for authentication currently. They appear to MAB correctly and get Authorized in ISE, but they do not get an IP. Therefore, they also do not get the DACL of permit ANY. It's like the port gets de-authenticated during the night. Usually when the machine is rebooted it will come up with an IP address. Here is my switchport config...
switchport access vlan 32
switchport mode access
switchport voice vlan 64
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 32
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer restart 600
authentication timer reauthenticate 7200
authentication violation restrict
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
Is the problem that the dACL isn't downloaded? What about the rest of the switch configuration, do you have the two commands:
radius-server vsa send, ip device-tracking
Thanks Jimmy, I do have both of those commands.
It appears that the client isn't getting an IP, which leads to the DACL not being downloaded. It's like the port isn't authenticated fast enough for the machine to get an IP. But I have moved MAB to the front of the auth order and it seems to happen pretty quickly.
Did you check if you add an ACL on the interface (switch port) like the following:
ip access-list extended ACL-TEST
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any any eq tftp
deny ip any any log
ip access-group ACL-TEST in
and then from your ISE configuration (Authorization Profile), you can over write the applied ACL on the physical interface, with DACL (like permit ip any any), and check if this will work?
The DACL is a separate process from the IP address acquirement that the host goes through. It shouldn't matter whether the client has an IP address or not, the DACL is sent to the switch and then it permits the necessary traffic.
When you say they "dont' get the DACL," what exactly do you mean? The session on the port doesn't show the DACL?
If you can, when a client is having this issue (no IP but has been successfully authenticated via MAB), run the following commands on the switch:
switch# show authentication sessions interface <problem_client_interface>
Thanks, here is the requested output of an Unauthorized client. I had to configure authentication open so they could still get access...