This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a policy set in ISE for my wired MAB devices. I then have various AuthZ rules matchine my profiles. If the device doesn't match any of these, we hit the default AuthZ profile which has a result on it to put these devices in an internet only VLAN. Any device hitting this result - the configured VLAN on the switchport will NOT be the internet-only VLAN. so they dynamic VLAN assignment is pushed from ISE. This works for my devices on DHCP.
I have a device which has a static IP assigned to it and this doesn't work. Yes I know the device itself won't get an IP in the new VLAN because it is configured statically. BUT - what i would expect to happen is the following:
Lets say the switch is conifgured for VLAN 20 and the internet only vlan is VLAN 100. The device has a static IP configured on it for VLAN 20. This is an RFID reader I believe, in this example. So my device connects to the switchport and gets the Auth result to change the VLAN to 100. The device is still able to communicate. I would expect the switchport to be put into VLAN 100, while the IP stays the same. So I have a VLAN 20 IP address/MAC address in VLAN 100 on the switchport, which would then cause the device to have no connectivity to anything. But what happens is the switchport stays in VLAN 20 and the VLAN 20 static IP on the device is still able to communicate. I don't have a dACL applied to this result as VLAN 100 terminates on my FW.
is there any documentation as to the behavior in this scenario? Shouldn't the switchport be changed to operational VLAN 100. The device has a VLAN 20 IP, learned in VLAN 100 so is shouldn't be able to do anything. But instead the port stays in VLAN 20 and the device can do whatever VLAN 20 is allowed to do.
As i understand, you don't get dynamic VLAN assignment from ISE? You must have "aaa authorization network" configured on the NAD, pointing to your NAS group name, and on ISE, in your "Authorization Profile" you configure the VLAN number (which must be already created on the switch) or VLAN name (which means a VLAN with the exact same name must exist on the switch). The dynamically assigned VLAN will not show up in the "show run" configuration of the port, cause ISE does not change switch config, it will show up in the "show access-session interface xyz detail" or "show authentication session interface xyz detail".
Thanks for the response. I have the dynamic VLAN working. If I device running DHCP gets a dynamic vlan assignment - it works. What I'm asking about is what if a device has a static IP, but is supposed to have a dynamic VLAN assignment.
I know they won't get the new IP, but I would expect the switchport to operate in the dynamic VLAN and not the switchport access vlan x mode.
If a device has a static IP in VLAN 20 and the switchport is configured for 'switchport access vlan 20' but the device gets a dynamic VLAN assignment of 100, because it is unknown in this case, then I would expect a device with an IP of VLAN 20 existing in VLAN 100, which shouldn't work. The ISE policy should have the switchport operating in VLAN 100. But, my testing shows that the switchport still operates in VLAN 20 in this case. Is this expected behavior? Why would the switchport operate in VLAN 20 and not VLAN 100 in this case?
If the port is statically configured in VLAN 20, and on the output of "show access-session interface xyz detail" or "show authentication session interface xyz detail" you don't see VLAN 100, it means that even though you may have configured dynamic VLAN assignment, something is wrong and is not enforced. Use "debug radius authentication" to confirm you get the VLAN and it's applied. As said, "show run" will always show up the admin configured VLAN, ISE cannot change the running-config.