Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2145
Views
0
Helpful
3
Replies

IP device tracking issue with ISE

JEFF BENFIELD
Level 1
Level 1

‎10-17-2013 08:39 AM - edited ‎03-10-2019 09:00 PM

We are having an issue where IP device tracking is not being properly updated on our 2960-24TC-L switches.  In ISE the machine will pass authentication, a vlan will be assigned, and DACL will be assigned but the machine will have no access to the network.  A sh auth sess int on the switch port will show the auth success, proper vlan assignment, and proper DACL but if you do sh ip device tracking int on the switchport it will show the port as inactive and still in the pre auth vlan.  If you do a sh ip access-lists on the switch port it will show the pre auth DACL on the port and not the one shown in sh auth sess.  If you do a clear ip device tracking on the switch port the machine will get the correct vlan, DACL, and the machine will have network access.  We have seen the issue on 3560 and 4506 but much less than on the 2960's.  We are running 15.0(1) SE 2 on the 2960's and 1.1.3 patch 6 on ISE.  We have tried upgrading the switch code to SE 3 and we have tried downgradeing to 12.2.(55)SE7 and still got the same results. Any suggestions would be greatly appreciated.

Jeff

3 people had this problem
Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-20-2013 02:34 AM

Jeff,

It rings a bell, seems similar to CSCud89149 and CSCts27209.

My suggestion would be to open up a TAC case, might be something else entirely.

M.


0 Helpful

Muhammad Munir
Level 5
Level 5

‎10-23-2013 02:41 AM

Hi

Make sure that you have defined Security Group Access (SGA)-enabled devices in Cisco ISE to process requests from SGA-enabled devices that can be part of the Cisco SGA solution. Any device that supports the Security Group Access solution is an SGA-enabled device.

SGA devices do not use the IP address. Instead, you must define other settings so that SGA devices can communicate with Cisco ISE.

If you are importing network devices from previous release then You cannot import network devices in Cisco ISE, Release 1.2 that are exported in previous Cisco ISE, Releases 1.1 and 1.1.x as the import template for these releases are different.

You can import a list of device definitions into a Cisco ISE node using a comma-separated value (CSV) file. You must first update the imported template before you can import network devices into Cisco ISE. You cannot run an import of the same resource type at the same time. For example, you cannot concurrently import network devices from two different import files.

0 Helpful

mlovellette
Level 4
Level 4

‎06-06-2014 11:17 PM

I am running 12.2(55)SE9 and running into this same issue.  Did you happen to get a fix for this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents