cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1520
Views
0
Helpful
12
Replies

Dynamic Attribute with ISE: VLAN Assignment on 3750E Version 12.2(52)SE cisco switch

I have a issue with dynamic VLAN assignment. I configured dot1X/mab authentication on 3750 cisco switch (Version Version 12.2(52)SE) for dynamic assigned vlan but when I pluged my laptop to switch port, I see auth and authz successful on Radius of Live log and switch can download ACL but cannot assign to desired vlan to switch port. Please take a look configuration in my attached.

12 REPLIES 12
anthonylofreso
Enthusiast

Does vlan 99 exist on the switch?

 

I do have this working running ise 2.2 patch 5 (DACL, and VLAN change). From what I can tell, the config in ISE looks correct, and is working per your log output. Could just be missing something on the NAD?

Hi,

I created vlan 99 on switch. I also agree with you that cisco ise works properly. Below it is the output on switch after client authentication:

 

show authentication sessions int gi1/0/22
Interface: GigabitEthernet1/0/22
MAC Address: 842b.2bad.fd73
IP Address: Unknown
User-Name: 84-2B-2B-AD-FD-73
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80A01000000794345D25A
Acct Session ID: 0x000000F4
Handle: 0x23000079

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

 

#show ip access-lists
Extended IP access list ACL-ALLOW
10 permit ip any any (3162 matches)
Extended IP access list xACSACLx-IP-WIRED_MAC-5b5a8fcc (per-user)
10 permit ip any host 192.168.10.150
20 permit ip any host 192.168.10.160
30 deny ip any 192.168.0.0 0.0.255.255
40 permit ip any any

show vlan brief

VLAN Name Status Ports
99 VLAN_TEST active

I think that there is a problem at NAD but I don't know what the problem is? Could you help me find it? I will provide anything you want.

 

Thanks 

I think a copy of your switch configuration would help. Things like SVI for Vlan 99 and other global configuration pieces would help. I am running 2.2 also and successfully do VLAN assignment.

Hi Richard,

I'm running 2.4. In attached file is my switch configuration.

Thanks

 

I've got the following for NAD configuration.

Global Configuration:

 

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server vsa send accounting
radius-server vsa send authentication

snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host <ip-address> version 2c cisco  mac-notification snmp
snmp-server host <ip-address> version 2c cisco  mac-notification snmp

ip device tracking
ip device tracking probe auto-source fallback 0.0.0.200 255.255.255.0

logging host <ip-address>
logging host <ip-address>

aaa accounting update newinfo periodic 30
aaa authorization network default group radius
aaa server radius dynamic-author

client <ip-address> server-key ****
client <ip-address> server-key ****

that ipdt auto-source fallback command was a workaround we needed. Can probably leave that out. This particular switch is running Version 15.2(6)E1.

 

 

 

Hi Rickchard,

My version is 12.2(52)SE and it doesn't support  ipdt auto-source fallback command.

Thanks,

A couple of questions and suggestions.

 

The following dACL does not match your auth profile?

Extended IP access list xACSACLx-IP-WIRED_MAC-5b5a8fcc (per-user)

 

You don't need dACL permit any on auth profile.

 

This is not a problem but, we found order mab, dot1x to work better for us timing wise.

 

You might as a test add switchport access vlan 99 to port config to see if it ends up in vlan 99 and gets IP address.

Hi Rickchard,

Sorry for confusing. Authz Profile picture I took two days ago. I changed authz profile yesterday. I have tested add switchport access vlan 99 to port config and  it ends up in vlan 99 and gets IP address. Do you have another idea for this case?

Thanks,

Hi Rickchard,

When I turn on debug radius command. I find out vlan pushed to switch but it isn't able to access vlan to switchport as below:

*Mar 14 17:48:00.777: RADIUS: Tunnel-Type [64] 6 01:VLAN [99]
*Mar 14 17:48:00.777: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
*Mar 14 17:48:00.777: RADIUS: Message-Authenticato[80] 18
*Mar 14 17:48:00.786: RADIUS: 02 43 FB F8 C1 B6 7B 59 BC D5 6F 48 B6 43 0A 16 [ C{YoHC]
*Mar 14 17:48:00.786: RADIUS: Tunnel-Private-Group[81] 11 01:"VLAN_TEST"
*Mar 14 17:48:00.786: RADIUS: Vendor, Cisco [26] 66
*Mar 14 17:48:00.786: RADIUS: Cisco AVpair [1] 60 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-WIRED_MAC-5b5a8fcc"
*Mar 14 17:48:00.786: RADIUS: Vendor, Cisco [26] 32
*Mar 14 17:48:00.786: RADIUS: Cisco AVpair [1] 26 "profile-name=Dell-Device"

Thanks,

I believe the interface needs a line "switchport access vlan 10", where 10 is the default vlan assigned and can be replaced with another, regardless the vlan assigned dynamically from ISE.

See How To: Universal IOS Switch Config for ISE for more info.

Cisco IOS 12.2(52)SE is very old so some of the configuration commands might be not applicable or have changed since. Cisco Identity Services Engine Network Component Compatibility, Release 2.4  recommends 15.2(2)E6 or IOS 15.0(2)SE11.

I agree you should put the following in switch port config.

 

swicthport access vlan 10.

 

A copy of ISE log for this mac address might also be helpful.

 

 

 

 

RICHARD MASSELLE
Beginner

In looking at switch version according to trustsec 2.0 it is unsupported see snapshiot. Is it possible to upgrade switch IOS?

 

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube