https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3199887#M552443 <P>Thanks everyone for your cooperation on this!!!</P> <P>I solved it by myself. Despite that I used this method on ISE 2.0 successfully but now with ISE 2.2, it doesn't work&nbsp;this way (I downgraded switch IOS to a version mentioned on Cisco official website too). As I knew the combination of "<STRONG>authentication priority dot1x mab</STRONG>"and "<STRONG>authentication order mab dot1x</STRONG> " on a switch port should gave priority to dot1x, while any dot1x start/request packet is received by switch port. But it seems that this behavior is changed either on ISE or switch IOS.&nbsp;</P> <P>I only changed authentication order to dot1x then mab and it worked well.</P> Tue, 17 Oct 2017 07:38:22 GMT ciscoworlds 2017-10-17T07:38:22Z https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3196296#M552438 <P>Hi. I configured ISE and switch for guest access. while assigning IP address to the client statically, he is redirected to the guest portal and get the configured access to the network as configured. But he cannot get IP address dynamically from DHCP server. I changed the dACL to only contain "<STRONG>permit ip any any</STRONG>" and he managed to get the IP. Even after I edited ACL and added entries which allowed everything (IP any any) to default gateway, DNS and DHCP servers, he didn't managed to get IP again! Also with "<STRONG>authentication open</STRONG>" command on the port, the client was able to get the IP from DHCP without any problem. my port configuration is as follows:</P> <P>&nbsp;</P> <P><EM>switchport mode access<BR />authentication host-mode multi-auth<BR />authentication order mab dot1x<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />spanning-tree portfast</EM></P> Fri, 21 Feb 2020 18:35:44 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3196296#M552438 ciscoworlds 2020-02-21T18:35:44Z https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3199480#M552440 <P>Hi again;</P> <P>After all, I assigned IP address statically and then configure a dot1x authentication rule, put it up at the top of the table (before MAB) and as seen above, gave priority to dot1x over MAB on that switch port. but the traffic matched MAB and not Dot1x rule. I disabled MAB rule on the ISE and after that point the traffic matched Dot1x on ISE. After re-enabling the MAB, the traffic again matched MAB rule again. my Dot1x rule has been configured as this:</P> <P>&nbsp;</P> <P><STRONG>if **(Wired_802.1X OR Wireless_802.1X) ---- **Allow Protocols</STRONG>: PEAP-ONLY</P> <P>&nbsp;</P> <P>Am I missing something?</P> Mon, 16 Oct 2017 15:18:05 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3199480#M552440 ciscoworlds 2017-10-16T15:18:05Z https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3199887#M552443 <P>Thanks everyone for your cooperation on this!!!</P> <P>I solved it by myself. Despite that I used this method on ISE 2.0 successfully but now with ISE 2.2, it doesn't work&nbsp;this way (I downgraded switch IOS to a version mentioned on Cisco official website too). As I knew the combination of "<STRONG>authentication priority dot1x mab</STRONG>"and "<STRONG>authentication order mab dot1x</STRONG> " on a switch port should gave priority to dot1x, while any dot1x start/request packet is received by switch port. But it seems that this behavior is changed either on ISE or switch IOS.&nbsp;</P> <P>I only changed authentication order to dot1x then mab and it worked well.</P> Tue, 17 Oct 2017 07:38:22 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access/m-p/3199887#M552443 ciscoworlds 2017-10-17T07:38:22Z