I was recently called in to help a customer with a couple of issues they were having in a pilot of Cisco ISE and Firepower.
- They wanted to utilize pxGrid to share context information between ISE and Firepower. They found that wireless users utilizing laptops were able to authenticate to the network and access the Internet but were getting denied Internet access via Firepower when they connected to the wired network. Wired users that authenticated also had issues.
- The ISE RADIUS Live Logs would only show IP information for wireless users. Wired user entries did not show IP addresses in the IP column.
One thing they noticed in the syslog on the Firepower appliance was that they were seeing parsing errors for entries pertaining to wired users. When we looked at the error, we noticed there was no user IP information. Only the IP of the NAD (network access device) was showing up. Since ISE was supposed to be sending all of that info, I started troubleshooting that first.
We grabbed a test laptop and checked what happened when authenticating via wireless and wired connections. The RADIUS Live Logs showed the authentications were successful but I did see that the wired authentication did not showing any IP information in the IP column. I checked the endpoint details (Context Visibility > Endpoints) for the wireless and wired MAC address. The both initially looked the same. Even the wired MAC entry showed an IP address and a DHCP requested IP address. After a few more minutes of looking, I noticed one difference. The wired details did not showed an entry for Framed-IP-Address.
The Framed-IP-Address is supposed to be included in the RADIUS accounting packet from the switch. The command radius-server attribute 8 include-in-access-req was in the switch global configuration to send the data if it is available in the DHCP snooping table. Running show ip dhcp snooping binding on the switch returned zero entries. That’s an issue because an empty DHCP snooping table means there is no attribute 8 (Framed-IP-Address) to send to ISE. I checked the rest of the switch config and found that they did have DHCP snooping enabled (ip dhcp snooping vlan …) but did not have it configured for the user VLAN.
After adding the user VLAN to the DHCP snooping configuration, the IP column in the ISE RADIUS Live Logs started populating for the authentications. Wired users also no longer being denied Internet access by Firepower as their IP-to-User information was now being populated correctly.