Cisco ISE - Access-reject with dynamic Vlan - 802.1x wired with 2960x switches

illusion_rox · ‎10-17-2017

Dear Experts,

Can you help to confirm that if user is trying to authenticate via wired port on 2960x but couldnt provide correct credentials, can we push back dynamic quarantine/guest vlan from ISE instead of configuring fallback vlan locally on the switch?

illusion_rox · ‎10-17-2017

My understanding is that, we need to pass vlan information in access-reject message. can we do it using cisco ISE?

agrissimanis · ‎10-17-2017

Attributes passed in RADIUS Access-Reject would be ignored by the switch, you need to create a new Authorization rule and pass Authorization profile that contains Access-Accept, but with a VLAN that you want the users to be put in. (You could also use the default rule)

illusion_rox · ‎10-17-2017

Sir authorization would come into play after user is successfully authenticated. If user authentication fails can we still send access accept message?

illusion_rox · ‎10-17-2017

Anyone pls?

agrissimanis · ‎10-18-2017

You generally can't do that, except in specific scenarios with MAB

illusion_rox · ‎10-18-2017

So its safe to say and convey to customer that for 802.1x authentication scenario this is not possible??

Rahul Govindan · ‎10-19-2017

Yes, you can do this. There is an option to continue to Authorization if Authentication fails. Click on the identity store section under the Authc policy and you should see this option. See picture below.

Rahul Govindan · ‎10-19-2017