06-10-2021 12:31 AM
Dear community,
I have done the configurations of AnyConnect Posture in the ISE and Switch. a DACL should first be applied to the port, and then the Redirect ACL in the Switch.
Live Logs show that the DACL is being pushed, but the 'show auth sess int f0/4' does not show the DACL pushed in its switch console.
Have a feeling that DACL and Redirect URL are not being sent to the Switch even thought live log says they are being sent to the Switch port. However not sure how to figure that out, in regards finding the attributes that are being sent to the Switch NIC port.
The other Odd thing is that, the flow of dacl->acl->redirect URL which should have happened, stops to the DACL step and does not proceed to the other two steps. This assumption is observed from Live Logs of ISE. The AnyConnect posture is stuck in Pending state due to this.
Any thoughts how to find attributes being sent to switch, and/or troubleshoot the process.
One of my issues in the switch is that even thought all logs are enabled in regards AAA and Radius, I cant get any log generated in the Switch Console, thus leaving me blind from the Switch Perspective.
Tried also the 'show epm stat int f0/4' but no data shown.
Any thoughts or suggestions would be highly appreciated.
Thank you,
Laura
Solved! Go to Solution.
06-11-2021 07:16 PM
Please refer to ISE Secure Wired Access Prescriptive Deployment Guide
It's possible the particular switch not supporting it.
.
06-10-2021 02:22 PM
Do you have the proper
aaa authorization network ...
command in the switch?
06-10-2021 11:45 PM
Hi,
Thank you for your feedback!
Please find configs in regards the aaa as following:
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization network default group radius
aaa authorization network auth-list group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
Were the radius is the server of ISE PSN that I have defined.
Looking forward to hearing from you.
Thank you,
Laura
06-11-2021 07:16 PM
Please refer to ISE Secure Wired Access Prescriptive Deployment Guide
It's possible the particular switch not supporting it.
.
06-13-2021 08:33 AM
Hi @hslai
That might be, Switch is version 12.2, Catalyst 2960. Will do a test in another switch and keep you updated.
Thank you for your support.
Best wishes,
Laura
06-23-2021 06:16 AM
You should not test with IOS 12.2 , upgrade.
06-23-2021 03:42 PM
Your post is not specific on the model of 2960 switch, so you should also confirm that you have a LAN Base model and not LAN Lite. The LAN Lite model does not support features like CoA or DACLs, so it is not validated/supported with ISE. The LAN Lite model is different hardware, so it cannot be upgraded to LAN Base for ISE support.
See this datasheet for the model numbers associated with LAN Lite.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: