An administrator is troubleshooting an endpoint that is supposed to bypass 802.1X and use MAB. The endpoint is bypassing 802.1X and successfully getting network access using MAB, however the endpoint cannot communicate because it cannot obtain an IP address.
What is the problem?
The endpoint is successfully bypassing 802.1X and using MAB to get network access, but it fails to obtain an IP address. This suggests an issue with the DHCP process. The DHCP probe for Cisco ISE is responsible for validating DHCP packets and ensuring that the requests and responses are properly handled by the ISE infrastructure. If the DHCP probe is not functioning as expected, it can prevent DHCP traffic from reaching the DHCP server, thereby preventing the endpoint from obtaining an IP address.
The correct answer is - An ACL on the port is blocking HTTP traffic. When an endpoint uses MAB to authenticate, it sends a username and password to the RADIUS server. The RADIUS server then authenticates the user and returns an IP address to the endpoint. If an ACL on the port is blocking HTTP traffic, the endpoint will not be able to contact the RADIUS server to authenticate and obtain an IP address. The other options are incorrect: The endpoint is using the correct protocol to authenticate with Cisco ISE. MAB is a valid authentication protocol for Cisco ISE. The 802.1X timeout period is not relevant in this case. The endpoint is bypassing 802.1X and using MAB. The DHCP probe for Cisco ISE is not relevant in this case. The endpoint is using MAB, not DHCP. Here are some things the administrator can do to troubleshoot the issue: Check the ACL on the port to make sure that HTTP traffic is not being blocked. Verify that the endpoint is configured to use MAB. Verify that the RADIUS server is configured to accept MAB authentication. Verify that the endpoint is able to contact the RADIUS server.
B sound most feasible
It's unlikely that the answer is B because the problem mentioned in the scenario is related to the endpoint not being able to obtain an IP address, which is a separate issue from the 802.1X timeout period. The 802.1X timeout period refers to how long the switch will wait for a response from the supplicant before assuming that it has failed to authenticate, so it wouldn't be related to the endpoint's ability to obtain an IP address.
Some clients will stop attempting dhcp after some time, if the 802.1x timeout is longer than the clients dhcp attempts this will certainly be an issue.
Correct B is the answer
When a device successfully bypasses 802.1X and authenticates using MAB (MAC Authentication Bypass), it is still required to obtain an IP address through DHCP (Dynamic Host Configuration Protocol) to communicate on the network. In this case, the fact that the endpoint cannot obtain an IP address suggests an issue with the DHCP process. The DHCP probe is a mechanism used by Cisco ISE to validate DHCP packets and ensure that the requests and responses are properly handled by the ISE infrastructure. If the DHCP probe is not functioning as expected, it can prevent DHCP traffic from reaching the DHCP server and, subsequently, hinder the endpoint from obtaining an IP address.
I cannot believe some answers here... "The RADIUS server then authenticates the user and returns an IP address to the endpoint" --what's that? ISE using HTTP? ISE sending IP addresses?? That doesn't make any sense... B is the most viable answer: if dot1x timeout is too long, and therefore, MAB triggers only after that time, the client might have stopped requesting IP Address
The only answer that make sense here is B. HTTP traffic is blocked... Who cares, i need to use DHCP ports so that do not matters. What I think is that the switchport have both 802.1x and MAB configured. So the client is sending an DHCP request but because the 802.1x timeout timer is too long the client is not getting the IP address at first, after that timeout time now the user can be authenticate via MAB, so you see that the user is authenticated but is failing to get the ip address.
Since the issue is "the device cannot obtain an IP address", we will be focusing on how the IP obtain mechanism was blocked. A is related to authentication (The endpoint is successfully getting the network access) B 802.1X (The endpoint is bypassing 802.1X) C DHCP probe is not working (In this case, all the endpoint that using MAB should be losing communication D will be the answer as per the commend by @denverfly below
B is correct.
If it is too long DHCP can actually timeout