Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco ISE 1.2, Clients not getting IP address in closed mode

Hello, I am running closed mode on my switchports. I have an issue where some clients come in in the morning, try to login, and will not get network access. I see that this is because they do not get an IP address. I am using MAB for authentication currently. They appear to MAB correctly and get Authorized in ISE, but they do not get an IP. Therefore, they also do not get the DACL of permit ANY. It's like the port gets de-authenticated during the night. Usually when the machine is rebooted it will come up with an IP address. Here is my switchport config...

 switchport access vlan 32
 switchport mode access
 switchport voice vlan 64
 logging event link-status
 authentication event fail action next-method
 authentication event server dead action authorize vlan 32
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 600
 authentication timer reauthenticate 7200
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout tx-period 10
 dot1x timeout ratelimit-period 300
 dot1x timeout held-period 300
 service-policy input QoS-Input-Policy
 service-policy output QoS-Host-Port-Output-Policy
end

9 REPLIES
Community Member

Is the problem that the dACL

Is the problem that the dACL isn't downloaded? What about the rest of the switch configuration, do you have the two commands:

radius-server vsa send, ip device-tracking

 

Community Member

Thanks Jimmy, I do have both

Thanks Jimmy, I do have both of those commands.

It appears that the client isn't getting an IP, which leads to the DACL not being downloaded. It's like the port isn't authenticated fast enough for the machine to get an IP. But I have moved MAB to the front of the auth order and it seems to happen pretty quickly.

Community Member

Did you check if you add an

Did you check if you add an ACL on the interface (switch port) like the following:

ip access-list extended ACL-TEST
 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit udp any any eq tftp
 deny   ip any any log 

interface g1/0/x

 ip access-group ACL-TEST in

 

and then from your ISE configuration (Authorization Profile), you can over write the applied ACL on the physical interface, with DACL (like permit ip any any), and check if this will work?

Community Member

Ahmad, I am running in closed

Ahmad,

 

I am running in closed mode, so doesn't that mean that a pre-auth ACL is not required nor used?

Community Member

The DACL is a separate

The DACL is a separate process from the IP address acquirement that the host goes through. It shouldn't matter whether the client has an IP address or not, the DACL is sent to the switch and then it permits the necessary traffic. 

 

When you say they "dont' get the DACL," what exactly do you mean? The session on the port doesn't show the DACL? 

If you can, when a client is having this issue (no IP but has been successfully authenticated via MAB), run the following commands on the switch: 

switch# show authentication sessions interface <problem_client_interface>

switch# sh ip access-lists interface <problem_client_interface>

switch# show access-list <problem_client_interface>

Community Member

Thanks, here is the requested

Thanks, here is the requested output of an Unauthorized client. I had to configure authentication open so they could still get access...

 

SJ5051IDF1#show authen sess int g2/20 d
            Interface:  GigabitEthernet2/20
          MAC Address:  d4be.d94f.ab92
         IPv6 Address:  Unknown
         IPv4 Address:  10.42.32.109
            User-Name:  D4-BE-D9-4F-AB-92
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A2A000B000034E367D4B998
      Acct Session ID:  Unknown
               Handle:  0x21000508
       Current Policy:  POLICY_Gi2/20
 
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
 
Method status list:
       Method           State
       mab              Authc Success
 
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#show ip access int g2/20
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#show access-list int g2/20
                                ^
% Invalid input detected at '^' marker.
 
SJ5051IDF1#show access-list ?        
  <1-2799>    ACL number
  WORD        ACL name
  ipc         Show access-list config download info
  rate-limit  Show rate-limit access lists
  |           Output modifiers
  <cr>
 
SJ5051IDF1#show access-list g2/20
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#
Community Member

What kind of switch/what

What kind of switch/what version of IOS are you running?

Community Member

I am running 4510R+E with

I am running 4510R+E with SUP8. IOS-XE v3.3.1 with IP Base license.

Community Member

Re: I am running 4510R+E with

Did you figure out the cause and a solution?

1238
Views
0
Helpful
9
Replies
CreatePlease to create content