Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
2
Helpful
8
Replies

Dynamic VLAN assignment on Wireless MAB endpoint

Go to solution
tcp_analysis_flags_eq_1
Level 1
Level 1

‎01-28-2025 05:55 AM

Scenario: Printer is connected to WLAN network and authenticated to ISE using MAB

Problem: MAB Authentication is successful but the MAC address is currently learned at both VLANs

VLAN A = Default WLAN VLAN
VLAN B = Printer VLAN

I have setup the policy in ISE to match the endpoint group where the printer is located and to call an AuthZ profile to change the VLAN. I try to put a static IP on the same network as VLAN B but still not working.

Any thoughts.

1 Accepted Solution

Accepted Solutions

Go to solution
tcp_analysis_flags_eq_1
Level 1
Level 1
In response to ahollifield

‎01-28-2025 06:45 AM

Hello, Yes, actually just managed to solve this by removing the endpoint from the endpoint group, readding it was able to get the DHCP now.

View solution in original post

8 Replies 8

Go to solution
ahollifield
VIP
VIP

‎01-28-2025 06:08 AM

What is the NAD?  Is VLAN B actually present on the controller?  

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

Go to solution
tcp_analysis_flags_eq_1
Level 1
Level 1
In response to ahollifield

‎01-28-2025 06:15 AM

NAD is C9800 controller, the APs are in FLEX MODE, and yes the VLAN is on the controller as it was able to return it to the endpoint and I am seeing the endpoint in VLAN B as well.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to tcp_analysis_flags_eq_1

‎01-28-2025 06:20 AM

So what’s the issue? Is VLAN B exposed to the FlexConnect AP?;
0 Helpful

Go to solution
tcp_analysis_flags_eq_1
Level 1
Level 1
In response to ahollifield

‎01-28-2025 06:27 AM - edited ‎01-28-2025 06:30 AM

Problem is that the MAB endpoint is currently learned from two VLANs and the correct VLAN is not working as I am not seeing an ARP entry for the IP configured on the endpoint, and when I do via DHCP its not getting IP and the state of the endpoint is stuck in IP_LEARN. I verified that the there is no problem with the DHCP

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to tcp_analysis_flags_eq_1

‎01-28-2025 06:41 AM

So is VLAN B properly trucked to the FlexConnect AP?
0 Helpful

Go to solution
tcp_analysis_flags_eq_1
Level 1
Level 1
In response to ahollifield

‎01-28-2025 06:45 AM

Hello, Yes, actually just managed to solve this by removing the endpoint from the endpoint group, readding it was able to get the DHCP now.

Go to solution
MHM Cisco World
VIP
VIP
In response to tcp_analysis_flags_eq_1

‎01-28-2025 06:52 AM

Sorry I reply late but how endpoint authz with two vlan?

Can i ser how you config ISE?

MHM

0 Helpful

Go to solution
muqaddasghaffar5
Level 1
Level 1

‎02-01-2025 01:16 AM

I had a similar issue with dynamic VLAN assignment for my printer using MAB in Cisco ISE. The printer was being assigned to both VLAN A (default WLAN VLAN) and VLAN B (printer VLAN). After checking the policy and static IP settings, I realized the switch port wasn’t correctly configured for dynamic VLAN assignment. Once I corrected the switch port settings and ensured VLAN trunking was enabled, the printer was properly assigned to VLAN B.

This experience reminded me of optimizing network performance for gaming, like prioritizing gaming traffic to prevent lag—just like how we prioritize devices like printers to improve overall performance. Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents