- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-07-2022 12:41 PM
please apologize my English and tyvm for having this hub so we can discuss tech stuff.
Im having an issue regarding info i see on the XMC. Im not sure where to begin explaining this, but basicaly the XMC is showing me apipa IP for a given host even though im sure it has got the IP reserved for that MAC from the DHCP server. Im sure because i can ping the IP and the name of the host is resolved correctly.
Thing is, when this happens the policy configured to take effect does not apply and the end device lands on a different VLAN other than the one the policy is supposed to send ot he port.
Im not sure if this a XMC issue or something going on between the SW and the DHCP server.
I caught one of the end devices passing from the reserved dhcp IP to the apipa and this is what i see.
What im asking is if there is any relation or known issue between the way this device is following authentication, as i see it first tries to MAC auth and succeeds, but then goes dot1x and fails, and the fact that the XMC shows me apipa ip, even though im sure the end device got the dhcp reserved ip and i can ping it, but simply im having an issue with not landing on correct vlan.
Sorry if this is confusing..
Any ideas would be great.
Thank you.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-12-2022 07:57 AM
Hello,
Do you have any global subnets enabled for Router IP discovery? If the subnet is not defined these act as filters and can prevent showing the correct address.
I think that screenshot is from policy "User Sessions" tab. Does it show the same 169 address in Control end systems tab as it does in the policy "User Sessions". Policy User sessions is a bit different from end system information from Control.
If you see the same 169 address in Control you can try the following:
Right click the NAC that will be handling the authentication for the end system --> WebView --> Diagnostics --> Appliance/Server Diagnostics
Set the following to "Verbose"
Authentication request processing - NAC
IP resolution
DHCP
Click OK.
Then delete the end system in control and have the device re-authenticate. Once the link local address is seen, go back and disable diagnostics. The log will contain information on how IP resolution was determined. You can try to search the log for the actual IP address of the device, or the link local.
Searching by last 3 octets of the mac address hyphen delimited will show all debug lines associated to the end system itself.
Eg:
If mac address is:
12:34:56:11:AA:22
Search for:
11-AA-22
The debug log may contain sensitive information so I would not suggest uploading it to this thread.
Thanks
-Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-12-2022 04:47 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-12-2022 05:49 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-12-2022 07:57 AM
Hello,
Do you have any global subnets enabled for Router IP discovery? If the subnet is not defined these act as filters and can prevent showing the correct address.
I think that screenshot is from policy "User Sessions" tab. Does it show the same 169 address in Control end systems tab as it does in the policy "User Sessions". Policy User sessions is a bit different from end system information from Control.
If you see the same 169 address in Control you can try the following:
Right click the NAC that will be handling the authentication for the end system --> WebView --> Diagnostics --> Appliance/Server Diagnostics
Set the following to "Verbose"
Authentication request processing - NAC
IP resolution
DHCP
Click OK.
Then delete the end system in control and have the device re-authenticate. Once the link local address is seen, go back and disable diagnostics. The log will contain information on how IP resolution was determined. You can try to search the log for the actual IP address of the device, or the link local.
Searching by last 3 octets of the mac address hyphen delimited will show all debug lines associated to the end system itself.
Eg:
If mac address is:
12:34:56:11:AA:22
Search for:
11-AA-22
The debug log may contain sensitive information so I would not suggest uploading it to this thread.
Thanks
-Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-12-2022 09:55 AM
bullzeye. TY.
This,
adding the subnets for router ip discovery, plus this:
seems to have solved my issue.
Will let you all know in a few days.
TYVM all for helping.
