ISE Authorization profile

dharmendra2shah · ‎10-04-2012

I am trying to create an authorization profile in ISE. My vlan for that profile is 50. When I try to add the Tag ID as 50 it is not allowing me to do so.

The message I am getting is : “Tag ID should contain only numerical value and in the range 0-31. How can the vlan be 0”. How to deal with this issue when my vlan ids are higher then 31.

I was wondering if anyone else had similar issue? Or am I missing anything.

Ds

Tarik Admani · ‎10-04-2012

Please post a screenshot of what you are trying to configure.

Thanks,

Tarik Admani
*Please rate helpful posts*

dharmendra2shah · ‎10-04-2012

Tarik Admani · ‎10-04-2012

Hi,

Leave the tag id alone, you need put the vlan name/number in the field right next to it.

Thanks,

Tarik Admani
*Please rate helpful posts*

dharmendra2shah · ‎10-04-2012

Thanks Tarik. What is the purpose of Tag ID. If I leave it blank I get an error message."Please configureTag ID for the definedVlan in common taks".

I can just put any Tag ID (eg :1) and put the actual Vlan id (50) in ID/Name.

Just curious what is the purpose of Tag ID?

Ds

Stefan Tiefel · ‎12-06-2016

Hello,

I have the same question. Do you now know what's the purpose of Tag ID?

Kind regards,

Stefan

vikasyad · ‎05-28-2013

Please review the below links which might be helpful:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.pdf

Ravi Singh · ‎07-29-2013

The tag, also called the security group tag (SGT), allows ISE to enforce access control policies by enabling the endpoint device to act upon the SGT to filter traffic.

Tarik Admani · ‎07-29-2013

Ravi,

Ds, was referring to the radius attributes that are used for dynamic vlan assignment (the 3 attributes) and the tag which passes back the vlan id can be configured. His question was referring to what the different values stood for.

Tarik Admani
*Please rate helpful posts*

t-lucas · ‎02-20-2019

Ok so what does the "Tag ID" stand for or do? What is it's purpose? I can't seem to find any details for it in the ISE documentation.

Thanks for any help on this.

Damien Miller · ‎02-20-2019

If we look at RFC 4675 for RADIUS VLAN and Priority Attibutes, it defines Tag ID is the tag indication field and it is one octet in length. It indicates whether the frames on the VLAN are tagged (0x31) or untagged (0x32). In ASCII this coincidences to 0x31 = ASCII '1' or untagged 0x32 = ASCII '2'.

This defaults to 1 in ISE 2.4.

howon · ‎02-20-2019

Tag is used to combine multiple attributes so the NAD understands multiple attributes being sent to be processed together. I have yet to see any use case for multiple tags. But in the case of VLAN assignment, you have to send 3 separate attributes which makes the dVLAN work so the tag glues three attributes together to make it work. I am showing example where the tag is 2 for the sake of discussion, but ISE will do this automatically when using common tasks for VLAN assignment: