This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a issue with dynamic VLAN assignment. I configured dot1X/mab authentication on 3750 cisco switch (Version Version 12.2(52)SE) for dynamic assigned vlan but when I pluged my laptop to switch port, I see auth and authz successful on Radius of Live log and switch can download ACL but cannot assign to desired vlan to switch port. Please take a look configuration in my attached.
Does vlan 99 exist on the switch?
I do have this working running ise 2.2 patch 5 (DACL, and VLAN change). From what I can tell, the config in ISE looks correct, and is working per your log output. Could just be missing something on the NAD?
Hi,
I created vlan 99 on switch. I also agree with you that cisco ise works properly. Below it is the output on switch after client authentication:
show authentication sessions int gi1/0/22
Interface: GigabitEthernet1/0/22
MAC Address: 842b.2bad.fd73
IP Address: Unknown
User-Name: 84-2B-2B-AD-FD-73
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80A01000000794345D25A
Acct Session ID: 0x000000F4
Handle: 0x23000079
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
#show ip access-lists
Extended IP access list ACL-ALLOW
10 permit ip any any (3162 matches)
Extended IP access list xACSACLx-IP-WIRED_MAC-5b5a8fcc (per-user)
10 permit ip any host 192.168.10.150
20 permit ip any host 192.168.10.160
30 deny ip any 192.168.0.0 0.0.255.255
40 permit ip any any
show vlan brief
VLAN Name Status Ports
99 VLAN_TEST active
I think that there is a problem at NAD but I don't know what the problem is? Could you help me find it? I will provide anything you want.
Thanks
I think a copy of your switch configuration would help. Things like SVI for Vlan 99 and other global configuration pieces would help. I am running 2.2 also and successfully do VLAN assignment.
radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server attribute 25 access-request include radius-server attribute 31 mac format ietf upper-case radius-server attribute 31 send nas-port-detail mac-only radius-server vsa send accounting radius-server vsa send authentication snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move threshold snmp-server host <ip-address> version 2c cisco mac-notification snmp snmp-server host <ip-address> version 2c cisco mac-notification snmp ip device tracking ip device tracking probe auto-source fallback 0.0.0.200 255.255.255.0 logging host <ip-address> logging host <ip-address> aaa accounting update newinfo periodic 30 aaa authorization network default group radius aaa server radius dynamic-author client <ip-address> server-key **** client <ip-address> server-key ****
that ipdt auto-source fallback command was a workaround we needed. Can probably leave that out. This particular switch is running Version 15.2(6)E1.
Hi Rickchard,
My version is 12.2(52)SE and it doesn't support ipdt auto-source fallback command.
Thanks,
A couple of questions and suggestions.
The following dACL does not match your auth profile?
Extended IP access list xACSACLx-IP-WIRED_MAC-5b5a8fcc (per-user)
You don't need dACL permit any on auth profile.
This is not a problem but, we found order mab, dot1x to work better for us timing wise.
You might as a test add switchport access vlan 99 to port config to see if it ends up in vlan 99 and gets IP address.
Hi Rickchard,
Sorry for confusing. Authz Profile picture I took two days ago. I changed authz profile yesterday. I have tested add switchport access vlan 99 to port config and it ends up in vlan 99 and gets IP address. Do you have another idea for this case?
Thanks,
Hi Rickchard,
When I turn on debug radius command. I find out vlan pushed to switch but it isn't able to access vlan to switchport as below:
*Mar 14 17:48:00.777: RADIUS: Tunnel-Type [64] 6 01:VLAN [99]
*Mar 14 17:48:00.777: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
*Mar 14 17:48:00.777: RADIUS: Message-Authenticato[80] 18
*Mar 14 17:48:00.786: RADIUS: 02 43 FB F8 C1 B6 7B 59 BC D5 6F 48 B6 43 0A 16 [ C{YoHC]
*Mar 14 17:48:00.786: RADIUS: Tunnel-Private-Group[81] 11 01:"VLAN_TEST"
*Mar 14 17:48:00.786: RADIUS: Vendor, Cisco [26] 66
*Mar 14 17:48:00.786: RADIUS: Cisco AVpair [1] 60 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-WIRED_MAC-5b5a8fcc"
*Mar 14 17:48:00.786: RADIUS: Vendor, Cisco [26] 32
*Mar 14 17:48:00.786: RADIUS: Cisco AVpair [1] 26 "profile-name=Dell-Device"
Thanks,