https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906195#M583449 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1491290">@ramziabdelhak</a> you should modify your ISE authorisation rules to not push down the VLAN to the switch as this takes presedence over the statically assigned VLAN.</P> Wed, 16 Aug 2023 09:10:45 GMT Rob Ingram 2023-08-16T09:10:45Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906190#M583448 <P>Hello,</P><P>On a C9300L switch, i have interface with ISE Dot 1 x configuration, what i want is that the statically assigned vlan using " switchport Access vlan XX" takes precedence over the vlan pushed by the ISE after a succesfull authentication,</P><P>For now, the ISE assigned vlan takes effect,</P><P>is there a solution ?</P><P>Thanks in advance</P> Wed, 16 Aug 2023 09:00:30 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906190#M583448 ramziabdelhak 2023-08-16T09:00:30Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906195#M583449 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1491290">@ramziabdelhak</a> you should modify your ISE authorisation rules to not push down the VLAN to the switch as this takes presedence over the statically assigned VLAN.</P> Wed, 16 Aug 2023 09:10:45 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906195#M583449 Rob Ingram 2023-08-16T09:10:45Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906197#M583450 <P>Thanks for the reply,</P><P>But this type of configuration has already worked with 3750 Switch serie, do you it&nbsp; is purhaps a deprectated behaviour ?</P><P>Thnks</P> Wed, 16 Aug 2023 09:17:19 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906197#M583450 ramziabdelhak 2023-08-16T09:17:19Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906218#M583454 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1491290">@ramziabdelhak</a> sorry, not sure, that's not my experience.</P> <P>Why do you need to send a dynamic VLAN assignment if you do not wish to use it? You can modify your ISE authorisation rules to send (or not send) a dynamic VLAN depending on the NAD group, connected user etc.</P> Wed, 16 Aug 2023 09:57:15 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906218#M583454 Rob Ingram 2023-08-16T09:57:15Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906222#M583456 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;</P><P>On the ISE, there a bunch of policies that apply to hundreds of users, and only 20-30 of them needs a special vlan; so instead of creating a new policy for them, we assign it statically on there interfaces.</P> Wed, 16 Aug 2023 10:09:32 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906222#M583456 ramziabdelhak 2023-08-16T10:09:32Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906227#M583457 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1491290">@ramziabdelhak</a> sure ok, create a group (or a couple of groups) for those 20-30 users, create an new authorisation rule(s) above the existing rule(s) and match against the group of users and push the dynamic VLAN. Then on the existing rules remove the dynamic VLAN.</P> Wed, 16 Aug 2023 10:18:26 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906227#M583457 Rob Ingram 2023-08-16T10:18:26Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906253#M583458 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;Thank you, i think it is a more scalabale solution,</P><P>Nevertheless, i realy want to know why this behavious was once supported by the 3750x,</P><P>Thanks again Rob</P> Wed, 16 Aug 2023 11:08:19 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906253#M583458 ramziabdelhak 2023-08-16T11:08:19Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906860#M583470 <P>Probably the dynamic VLAN will not be applied on this switch if the&nbsp;</P> <P><FONT face="courier new,courier">aaa authorization network ... group RADIUSxxxx</FONT></P> <P><SPAN>command is removed. But it may have other effects.</SPAN></P> <P>&nbsp;</P> Thu, 17 Aug 2023 07:05:45 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4906860#M583470 Peter Koltl 2023-08-17T07:05:45Z https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4907105#M583489 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/285490">@Peter Koltl</a>&nbsp;</P><P>That would not be possible since removing this command will desable AAA authorization on the switch as a whole,</P><P>Thanks for your help</P> Thu, 17 Aug 2023 14:50:03 GMT https://community.cisco.com/t5/network-access-control/vlan-precedence/m-p/4907105#M583489 ramziabdelhak 2023-08-17T14:50:03Z