03-06-2013 12:21 PM - edited 03-10-2019 08:10 PM
Hello guys,
I am runninng ISE 1.1 with a 3560-E switch and using profiling.
When I connect my cisco AP to the switch port ISE recognizes/profiles it as a Cisco-Device, hence applies a limited authorization profile which i have configured... after around 20-30 secs then the profiles recognizes it as a Cisco-Access-Point but its not applying the access point authorization profile.
If i bounce the port then the AP authenticates and authorizes correctly as an access point... but i had to do a manual bounce.
What am i missing?
Switch version:
Switch(config)#do sh ver
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 07:53 by sasyamal
Image text-base: 0x00003000, data-base: 0x02400000
aaa authentication login default group radius
aaa authentication login CONSOLE none
aaa authentication login VTY none
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
client 10.0.0.60 server-key cisco123
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.0.0.60 auth-port 1812 acct-port 1813 key cisco123
radius-server vsa send accounting
radius-server vsa send authentication
the switch port where the AP is connected ( by the way the AP is using 802.1x username/password to authenticate):
interface GigabitEthernet0/20
description Access_Point
switchport access vlan 200
switchport mode access
ip access-group ACL_ALLOW in
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
spanning-tree portfast
end
ISE:
Solved! Go to Solution.
04-22-2013 07:23 PM
Hi,
You may have to add an exception action when the device is profiled as a to trigger CoA, also your best bet is to remove the hierarchy configuration for the cisco-access-point and make it it's own rule so that when the client is profiled as an access point it can get profiled correctly.
Thanks,
Sent from Cisco Technical Support iPad App
03-06-2013 12:25 PM
Oh and by the way... there is no firewall in between.
04-22-2013 05:10 PM
From the switch configuration you have provided, the following command has been missing:
! Globally enable Dot1x authentication on the switch
dot1x system-auth-control
04-22-2013 07:23 PM
Hi,
You may have to add an exception action when the device is profiled as a to trigger CoA, also your best bet is to remove the hierarchy configuration for the cisco-access-point and make it it's own rule so that when the client is profiled as an access point it can get profiled correctly.
Thanks,
Sent from Cisco Technical Support iPad App
04-22-2013 07:32 PM
Hello Tarik,
Yes, i removed the hierarchy dependance, and it works. But I asume its not the correct way ISE works isnt it? I mean , CoA is automatically triggered from "unknown" to "Cisco-Device", so isnt it triggered when the change goes from "Cisco-Device" to "Cisco-Access-Points" ? Its almost the same right?
Thanks!
Emilio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide