Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE Authorization profile

I am trying to create an authorization profile in ISE. My vlan for that profile is 50. When I try to add the Tag ID as 50 it is not allowing me to do so.

The message I am getting is : “Tag ID should contain only numerical value and in the range 0-31. How can the vlan be 0”. How to deal with this issue when my vlan ids are higher then 31.

I was wondering if anyone else had similar issue? Or am I missing anything.


Tarik Admani

Please post a screenshot of what you are trying to configure.


Tarik Admani
*Please rate helpful posts*


Leave the tag id alone, you need put the vlan name/number in the field right next to it.


Tarik Admani
*Please rate helpful posts*

Thanks Tarik. What is the purpose of Tag ID. If I leave it blank I get an error message."Please configureTag ID for the definedVlan in common taks".

I can just put any Tag ID (eg :1) and put the actual Vlan id (50) in ID/Name.

Just curious what is the purpose of Tag ID?



I have the same question. Do you now know what's the purpose of Tag ID?

Kind regards,


Ravi Singh
Rising star

The tag, also called the security group tag (SGT),  allows ISE to enforce access control policies by enabling the endpoint  device to act upon the SGT to filter traffic.


Ds, was referring to the radius attributes that are used for dynamic vlan assignment (the 3 attributes) and the tag which passes back the vlan id can be configured. His question was referring to what the different values stood for.

Tarik Admani
*Please rate helpful posts*

Ok so what does the "Tag ID" stand for or do? What is it's purpose? I can't seem to find any details for it in the ISE documentation.

Thanks for any help on this.

If we look at RFC 4675 for RADIUS VLAN and Priority Attibutes, it defines Tag ID is the tag indication field and it is one octet in length. It indicates whether the frames on the VLAN are tagged (0x31) or untagged (0x32). In ASCII this coincidences to 0x31 = ASCII '1' or untagged 0x32 = ASCII '2'.

This defaults to 1 in ISE 2.4.
Cisco Employee

Tag is used to combine multiple attributes so the NAD understands multiple attributes being sent to be processed together. I have yet to see any use case for multiple tags. But in the case of VLAN assignment, you have to send 3 separate attributes which makes the dVLAN work so the tag glues three attributes together to make it work. I am showing example where the tag is 2 for the sake of discussion, but ISE will do this automatically when using common tasks for VLAN assignment:

Screen Shot 2019-02-20 at 10.13.27 AM.png

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube