Showing results for 
Search instead for 
Did you mean: 

Endstation Network Condition not working for IPv4


I have a question about Endstation Network Conditions for IPv4.
I have configured “Network Conditions>>>Endstation Network Conditions>>>created „TEST_ENDSTATION” and added the address IP or alternatively
In AUTHORIZATION POLICY I have the condition „Network Conditions: TEST_ENDSTATION”.
Start endstation authentication/authorization with the address IP (tested for MAB and DOT1X) is not matched with the prepared condition. I read that I need to add a command on the switch, but it doesn't help:
radius-server attribute 31 send nas-port-detail.

i tried too:

radius-server attribute 31 send nas-port-detail

radius-server attribute 31 remote-id

radius-server attribute 31 append-circuit-id


Additionally, I have attributes for configuration:

mab request format attribute 32 vlan access-vlan
radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 32 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute 31 send nas-port-detail

radius-server attribute 31 remote-id

radius-server attribute 31 append-circuit-id

radius-server vsa send cisco-nas-port


Did not work.
If I add MAC to Endstation Network Conditions >>> TEST_ENDSTATION MAC, then the authorization works correctly and goes to AUTHORIZATION POLICY condition "Network Conditions: TEST_ENDSTATION MAC".

So for MAC it works for IP it doesn't work.

What do I need to add to the switch configuration so that the IP address is sent in the network attributes?


Port configuration:

interface FastEthernet0/XX

 description dot1x test

 switchport access vlan XXX

 switchport mode access

 switchport nonegotiate

 switchport voice vlan XXX

 authentication event fail retry 0 action next-method

 authentication event server dead action authorize

 authentication event server alive action reinitialize

 authentication host-mode multi-auth

 authentication open

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication periodic

 authentication timer reauthenticate server

 authentication timer inactivity server


 no snmp trap link-status

 dot1x pae authenticator

 dot1x timeout tx-period 7

 spanning-tree portfast edge

 spanning-tree guard root

 ip dhcp snooping limit rate 15


Switch (I also tested on others

WS-C2960C-8PC 15.2(7)E4 - C2960c405-UNIVERSALK9-M


endstation MAC conditions.png  endstation IP conditions.png


2 Replies 2

Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

Hi @newjard ,

 the Endstation Network Conditions is based on End Stations that initiate and terminate the connection. In a RADIUS Request, this identifier is available in Attribute 31 (Calling-Station-Id). Calling-Station-Id is commonly the MAC Addr of the connecting Endpoint.

 At Work Centers > Profiler > Endpoint Classification, check the attributes captured by the RADIUS Probe of the selected Endpoint, verify the Calling-Station-Id info.

Note: the Framed-IP-Address value populates the IP attribute.


Hope this helps !!!

Thanks for the answer.


In my endpoint authorization's ISE logs I have:

--------ISE LOGS--------
Authentication Details
Calling Station Id: MAC ENDPOINT
IPv4 Address:

Other Attributes
Called-Station-ID: MAC ENDPOINT
-- I can't see Framed-IP-Address --

In ISE TCP DUMP in wireshark I can see Framed-IP-Address:
AVP: t=Framed-IP-Address(8) l=6 val=
Type: 8
Length: 6

At Work Centers > Profiler > Endpoint Classification I can see:
Calling-Station-ID: MAC ENDPOINT


We do not use Profiling.

The authorization rule with IP_ENDPOINT still does not match.

What else could be the reason?

What can i check?



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers