09-04-2017 02:38 AM - edited 02-21-2020 10:33 AM
Hi,
We want to dynamically profile access-points on 2960-switches when they are plugged in to a standard port. Were using 1832i and 2702i. The profiling seems to work fine, they access-point is profiled with the correct endpoint profile, and gets put into the right identity group. The problem is however that MAB happens first, so the access-point goes into a quaratine VLAN. I have attached a COA Port bounce to this profile, but it doesnt seem to happen. If i cant bounce the port, i cant get the access point into the vlan tied to the identity group.
Anyone have a clue as to why i cant bounce the port? The device sensor and ISE seems to be doing everything right as to classification - the question is, is it possible to get ISE to assign vlan as it profiles the device? Because here it seems MAB happens before ISE is done profiling, and then its too late, at least if the port wont bounce.
Port config:
switchport mode access
authentication event fail action authorize vlan 666
authentication event no-response action authorize vlan 666
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
spanning-tree portfast
Global:
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
device-sensor accounting
device-sensor notify all-changes
dot1x system-auth-control
radius-server vsa send accounting
Solved! Go to Solution.
09-04-2017 06:10 AM
You don't see to have CoA on your 2960 switch. Depending on your switch IOS, it might not support CoA.
Sample config:
aaa server radius dynamic-author
client 10.10.10.10 server-key *******
server-key *******
Check cisco feature navigator to see if your IOS version on 2960 supports CoA
09-04-2017 06:10 AM
You don't see to have CoA on your 2960 switch. Depending on your switch IOS, it might not support CoA.
Sample config:
aaa server radius dynamic-author
client 10.10.10.10 server-key *******
server-key *******
Check cisco feature navigator to see if your IOS version on 2960 supports CoA
09-04-2017 10:52 AM
09-04-2017 11:30 AM
Ideally once you connect the AP it will profiled as cisco device since its 1st time seen. ISE will then trigger nmap scan along with other checks. once all the checks completed and ap is detected (e.g. aironet 2600) ise will trigger coa for the switch to reauthenticate the device and assign the corresponding policy.
So port bouce not required generally. now i have seen cases where this automation doesn't take place and port bouce needed. So use it as fallback.
Please remember to rate useful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide