Dynamic Attribute with ISE: VLAN Assignment on 3750E Version 12.2(52)SE cisco switch

vantoanbcvt.09081 · ‎07-27-2018

I have a issue with dynamic VLAN assignment. I configured dot1X/mab authentication on 3750 cisco switch (Version Version 12.2(52)SE) for dynamic assigned vlan but when I pluged my laptop to switch port, I see auth and authz successful on Radius of Live log and switch can download ACL but cannot assign to desired vlan to switch port. Please take a look configuration in my attached.

anthonylofreso · ‎07-27-2018

Does vlan 99 exist on the switch?

I do have this working running ise 2.2 patch 5 (DACL, and VLAN change). From what I can tell, the config in ISE looks correct, and is working per your log output. Could just be missing something on the NAD?

vantoanbcvt.09081 · ‎07-27-2018

Hi,

I created vlan 99 on switch. I also agree with you that cisco ise works properly. Below it is the output on switch after client authentication:

show authentication sessions int gi1/0/22
Interface: GigabitEthernet1/0/22
MAC Address: 842b.2bad.fd73
IP Address: Unknown
User-Name: 84-2B-2B-AD-FD-73
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80A01000000794345D25A
Acct Session ID: 0x000000F4
Handle: 0x23000079

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

#show ip access-lists
Extended IP access list ACL-ALLOW
10 permit ip any any (3162 matches)
Extended IP access list xACSACLx-IP-WIRED_MAC-5b5a8fcc (per-user)
10 permit ip any host 192.168.10.150
20 permit ip any host 192.168.10.160
30 deny ip any 192.168.0.0 0.0.255.255
40 permit ip any any

show vlan brief

VLAN Name Status Ports
99 VLAN_TEST active

I think that there is a problem at NAD but I don't know what the problem is? Could you help me find it? I will provide anything you want.

Thanks

RICHARD MASSELLE · ‎07-27-2018

I think a copy of your switch configuration would help. Things like SVI for Vlan 99 and other global configuration pieces would help. I am running 2.2 also and successfully do VLAN assignment.

vantoanbcvt.09081 · ‎07-27-2018

Hi Richard,

I'm running 2.4. In attached file is my switch configuration.

Thanks

anthonylofreso · ‎07-27-2018

I've got the following for NAD configuration.

Global Configuration:

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server vsa send accounting
radius-server vsa send authentication

snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host <ip-address> version 2c cisco  mac-notification snmp
snmp-server host <ip-address> version 2c cisco  mac-notification snmp

ip device tracking
ip device tracking probe auto-source fallback 0.0.0.200 255.255.255.0

logging host <ip-address>
logging host <ip-address>

aaa accounting update newinfo periodic 30
aaa authorization network default group radius
aaa server radius dynamic-author

client <ip-address> server-key ****
client <ip-address> server-key ****

that ipdt auto-source fallback command was a workaround we needed. Can probably leave that out. This particular switch is running Version 15.2(6)E1.

vantoanbcvt.09081 · ‎07-27-2018

Hi Rickchard,

My version is 12.2(52)SE and it doesn't support ipdt auto-source fallback command.

Thanks,

RICHARD MASSELLE · ‎07-27-2018

A couple of questions and suggestions.

The following dACL does not match your auth profile?

Extended IP access list xACSACLx-IP-WIRED_MAC-5b5a8fcc (per-user)

You don't need dACL permit any on auth profile.

This is not a problem but, we found order mab, dot1x to work better for us timing wise.

You might as a test add switchport access vlan 99 to port config to see if it ends up in vlan 99 and gets IP address.

vantoanbcvt.09081 · ‎07-27-2018

Hi Rickchard,

Sorry for confusing. Authz Profile picture I took two days ago. I changed authz profile yesterday. I have tested add switchport access vlan 99 to port config and it ends up in vlan 99 and gets IP address. Do you have another idea for this case?

Thanks,

vantoanbcvt.09081 · ‎07-27-2018

Hi Rickchard,

When I turn on debug radius command. I find out vlan pushed to switch but it isn't able to access vlan to switchport as below:

*Mar 14 17:48:00.777: RADIUS: Tunnel-Type [64] 6 01:VLAN [99]
*Mar 14 17:48:00.777: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
*Mar 14 17:48:00.777: RADIUS: Message-Authenticato[80] 18
*Mar 14 17:48:00.786: RADIUS: 02 43 FB F8 C1 B6 7B 59 BC D5 6F 48 B6 43 0A 16 [ C{YoHC]
*Mar 14 17:48:00.786: RADIUS: Tunnel-Private-Group[81] 11 01:"VLAN_TEST"
*Mar 14 17:48:00.786: RADIUS: Vendor, Cisco [26] 66
*Mar 14 17:48:00.786: RADIUS: Cisco AVpair [1] 60 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-WIRED_MAC-5b5a8fcc"
*Mar 14 17:48:00.786: RADIUS: Vendor, Cisco [26] 32
*Mar 14 17:48:00.786: RADIUS: Cisco AVpair [1] 26 "profile-name=Dell-Device"

Thanks,

hslai · ‎07-27-2018

I believe the interface needs a line "switchport access vlan 10", where 10 is the default vlan assigned and can be replaced with another, regardless the vlan assigned dynamically from ISE.

See How To: Universal IOS Switch Config for ISE for more info.

Cisco IOS 12.2(52)SE is very old so some of the configuration commands might be not applicable or have changed since. Cisco Identity Services Engine Network Component Compatibility, Release 2.4 recommends 15.2(2)E6 or IOS 15.0(2)SE11.

RICHARD MASSELLE · ‎07-30-2018

I agree you should put the following in switch port config.

swicthport access vlan 10.

A copy of ISE log for this mac address might also be helpful.

RICHARD MASSELLE · ‎07-30-2018

In looking at switch version according to trustsec 2.0 it is unsupported see snapshiot. Is it possible to upgrade switch IOS?