Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3708
Views
0
Helpful
2
Replies

ISE Authorization Policy Issues

Go to solution
Daniel Stefani
Level 1
Level 1

‎10-07-2014 02:01 AM - edited ‎03-10-2019 10:05 PM

Hello Team,

 

I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.

I have two vlans in my implementation:

Vlan ID 802 for Authentication (Subnet 10.2.39.0)

Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)

When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.

Here I have my Switch Port Configuration:

interface GigabitEthernet0/38
 switchport access vlan 802
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 120
 ip access-group ACL-DEFAULT in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 50
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

 

And Here, I have outputs AuthZ Policy in Action:

Oct  7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct  7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct  7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct  7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct  7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct  7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct  7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct  7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct  7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS

After that, I have:

 

SWISNGAC8FL02#sh auth sess int g0/38 
            Interface:  GigabitEthernet0/38
          MAC Address:  0022.1910.4130
           IP Address:  10.2.39.3
            User-Name:  SNL\enzo.belo
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  50
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A022047000000F6126E9B17
      Acct Session ID:  0x000001A7
               Handle:  0x710000F7

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run
!

 

Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.

 

If I do  SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
  50    0022.1910.4130    STATIC      Gi0/38 
 802    0022.1910.4130    STATIC      Gi0/38 

 

And

 

SWISNGAC8FL02#sh epm session summary 
EPM Session Information
-----------------------
Total sessions seen so far : 17
Total active sessions      : 1

Interface                       IP Address        MAC Address     VLAN   Audit Session Id:
----------------------------------------------------------------------------------
GigabitEthernet0/38     10.2.39.3         0022.1910.4130    802     0A022047000000F6126E9B17

 

 

My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)

I am using ISE Version 1.2.1.198 Patch Info 2

 

 

Could you help me in this Case ?

 

Best Regards,

Daniel Stefani

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jimmy Johansson
Level 1
Level 1

‎10-07-2014 02:44 AM

It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.

If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jimmy Johansson
Level 1
Level 1

‎10-07-2014 02:44 AM

It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.

If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

0 Helpful

Go to solution
Daniel Stefani
Level 1
Level 1
In response to Jimmy Johansson

‎10-07-2014 03:24 AM

Hi Jimmy,

 

Great Tip !!!

I removed the Voice-Attribute from ISE AuthZ Policy and now works as I expected.

 

Thank You so Much !!!

0 Helpful
Customers Also Viewed These Support Documents