Solved: Cisco AV Pair - Termination Action

jowood1412 · ‎06-21-2021

I've seen discussion in these forums and mention in the ISE Posture Best Practices about using the av-pair termination-action-modifier=1 setting to tell the NAD to use the same authentication method from the original authentication.

This is definitely something I want to use because I have some devices that may be connected to ports that have a dot1x mab authentication order that I know will only authenticate with mab. However, when I go to the advanced attributes settings for policies, the termination-action-modifier=1 does not exist.

We're running ISE version 2.6.0.156 with patches 6 and 8 installed.

Has anyone else run into this before? Am I missing something with this setting?

Marcelo Morais · ‎06-21-2021

Hi @jowood1412 ,

you are probably using the ISE Posture Deployment Best Practices and Considerations, Use Case 2.

Try to type the value inside the box:

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎06-21-2021

Hi @jowood1412 ,

you are probably using the ISE Posture Deployment Best Practices and Considerations, Use Case 2.

Try to type the value inside the box:

Hope this helps !!!

jowood1412 · ‎06-22-2021

Success! I'll admit, I didn't love the idea of just typing a value into the field when it wasn't available in the menu, but it did work. I watched the devices affected by that policy and they did in fact start following the previous authentication method instead of the first priority method, so the setting works as advertised.

Many thanks and I hope that setting ends up in the menu soon!