Cisco ISE and Authentication Failed VLAN

mkriss5681 · ‎04-09-2013

I am trying to setup ISE to assign a VLAN to unauthorized computers. I tried using "authentication event fail action authorize vlan 666" command but unfortunately I'm using multi-auth because we have users with bridged VMs and Cisco does not support it (http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875).

Is there a way to make an Authorization/Authentication profile within ISE to assign the VLAN to failed devices?

Venkatesh Attuluri · ‎04-10-2013

You can set endpoint protection status to quarantine, and establish policies that assign different
authorization profiles, depending on the status of the endpoint.
Quarantine essentially moves an endpoint from its default VLAN to a specified Quarantine VLAN. The
The Quarantine VLAN must be previously defined by a network administrator and supported on the
same NAS as the endpoint. Unquarantine reverses the quarantine action, returning the endpoint to its
original VLAN.
The quarantine and unquarantine actions are performed as a result of established Authorization Rules
that are defined to check for EPSStatus

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_eps.html#wp1219979

mkriss5681 · ‎04-12-2013

Thank you! I'll check it out.

mkriss5681 · ‎04-12-2013

Unfortunately I only have the Base Liscense so I am out of luck.