Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Laptop behind phone does not get assigned to DACL if phone boots first

I have some laptops plugged into Cisco phones. I'm using MAB on the switchport. If the PC comes up first, it matches the correct ISE policies, gets an IP address, and can get out. When the phone comes up, it too works fine.

If the phone comes up first, it still matches the correct ISE policies and works correctly. But once the PC comes up behind it, it matches the correct ISE policies, gets an IP address, but cannot get out to the network. If I look at the access-list on the port, I do not see where the PC has an entry; only the phone.

I am using the default IP-Phone authorization profile, which uses the permit any DACL. I am using NO DACL on my PC authorization rule.

5 REPLIES
New Member

can you paste the out put of

can you paste the out put of #show authentication sessions interface GigabitEthernet  and live authentication

New Member

This is output during a

This is output during a period where this is working...

 

51IDF2#show authen sess int g3/40 d
            Interface:  GigabitEthernet3/40
          MAC Address:  20bb.c020.7cb8
         IPv6 Address:  Unknown
         IPv4 Address:  10.42.66.254
            User-Name:  20-BB-C0-20-7C-B8
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A2A000C000014AAB78F3FB4
      Acct Session ID:  0x000028EA
               Handle:  0xB10004DD
       Current Policy:  POLICY_Gi3/40
 
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
 
Server Policies:
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4fe7f797
 
Method status list:
       Method           State
       mab              Authc Success
 
----------------------------------------
            Interface:  GigabitEthernet3/40
          MAC Address:  b8ca.3ac0.f250
         IPv6 Address:  Unknown
         IPv4 Address:  10.42.34.21
            User-Name:  B8-CA-3A-C0-F2-50
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0A2A000C000014A9B78E8F78
      Acct Session ID:  0x000028E8
               Handle:  0x12000323
       Current Policy:  POLICY_Gi3/40
 
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure
 
Server Policies:
 
Method status list:
       Method           State
          
       mab              Authc Success
 
51IDF2#show ip access int g3/40
     permit ip host 10.42.66.254 any
     permit ip host 10.42.34.21 any
Extended IP access list Auth-Default-ACL
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
51IDF2#
 
I was unable to get a live authentication on this device. But I did get the following in the troubleshooting tool on the last auth...
Diagnosis and Resolution  
Could not determine the root cause and suggest a diagnosis/resolution.
Please see below for details on steps performed.
 
Troubleshooting Summary  
Step successfulInvestigated authentication record with details:
Details
 
Timestamp2014-08-21 12:56:01.572
ISEServerdc5051ise-psn1
UsernameB8:CA:3A:C0:F2:50
MAC AddressB8:CA:3A:C0:F2:50
StatusPassed
Failure Reason 
Network Device NameSJ5051IDF2
Network Device IP10.42.0.12
Identity StoreInternal Endpoints
Identity GroupWorkstation
NAS Port IDGigabitEthernet3/40
Audit Session ID0A2A000C000014A9B78E8F78
Authentication Methodmab
Step failed No relevant VLAN or dACL context found in the ISE response. No further troubleshooting can be performed on the selected authentication record.

Enable cdp feature on the

Enable cdp feature on the switch

New Member

Thanks, but cdp is enabled

Thanks, but cdp is enabled already. 

New Member

My TAC engineer finally came

My TAC engineer finally came back and reported this as a bug in my version of software (3.3.1). 

CSCuq36259

This bug is supposed to be fixed in 3.6.0.

Thanks.

151
Views
0
Helpful
5
Replies
CreatePlease login to create content