topic Dynamic VLAN Assignment in ISE in Network Access Control

Dynamic VLAN Assignment in ISE

connor.jaques — Fri, 12 Nov 2021 10:27:35 GMT

Hi,

Currently implementing dynamic VLAN assignment for both our 802.1X clients & profiled devices via MAB.

The condition matches the device in ISE with the full summary report showing "authentication succeeded" , authorization profile selected, Radius Access-Accept returned & VLAN attributes visible under "result".

However when I hop over to the switch and run "show auth session interface [] detail" the status shows as "unath" with there no change in VLAN.

Has anyone experienced this issue before or know when to look for troubleshooting?

I have already made sure Dynamic Author is configured on the switch with my clients. Thanks

Re: Dynamic VLAN Assignment in ISE

BryanHefner2568 — Fri, 12 Nov 2021 20:41:49 GMT

Maybe a COA issue? I notice these tend to pop up a lot. What switch model and version are you running? Run a debug on the switch to see if your receiving the COA. I believe the command is “debug aaa COA”

Re: Dynamic VLAN Assignment in ISE

Walker — Tue, 16 Nov 2021 18:09:14 GMT

Have you verified that the VLAN is created on the switch? If so, are you using VLAN name in your auth profile? Make sure it matches.

It sounds like its possibly failing AuthZ. Check your epm logs to see if you can find some helpful information.

Re: Dynamic VLAN Assignment in ISE

connor.jaques — Wed, 17 Nov 2021 09:18:31 GMT

VLAN name is used in the auth profile and does exist on the switch as an exact match. I'll enable EPM logging and see if that produces anything of help then revert back. Thanks

Re: Dynamic VLAN Assignment in ISE

connor.jaques — Wed, 17 Nov 2021 09:26:21 GMT

We are running C9300's on version 16.12. Debug Coa gives me a "Authc fail. Authc failure reason: Cred Fail". This log is only produced when applying my own authorization policy as a pose to the default "permit access".

Re: Dynamic VLAN Assignment in ISE

BryanHefner2568 — Wed, 17 Nov 2021 12:32:37 GMT

This tells you what the issue is. Failed Authentication due to credentials. Default permit access policy that you use does not require a COA, and is probably providing access whether or not you authenticate properly.

Can you provide a screen grab of your Live Logs, showing just the specific device that you are authenticating? And also once that is displayed in the live logs, can you click on the paper icon to show the authentication process for that devices?

Excellent guide on troubleshooting authentications in ISE: https://community.cisco.com/t5/security-documents/how-to-troubleshoot-ise-failed-authentications-amp/ta-p/3630960

Re: Dynamic VLAN Assignment in ISE

connor.jaques — Wed, 17 Nov 2021 13:27:41 GMT

Thanks Bryan, will review that link. Agree it appears to be a CoA problem here. I've copied the details below from the logs in ISE.

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Radius.NAS-IP-Address
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - 7C:D3:0A:20:C0:28
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	11055	User name change detected for the session. Attributes for the session will be removed from the cache
	15016	Selected Authorization Profile - WORKSTATION
	24209	Looking up Endpoint in Internal Endpoints IDStore - 7C:D3:0A:20:C0:28
	24211	Found Endpoint in Internal Endpoints IDStore
	11002	Returned RADIUS Access-Accept