cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1045
Views
0
Helpful
2
Replies

ISE guest access

ciscoworlds
Level 4
Level 4

Hi. I configured ISE and switch for guest access. while assigning IP address to the client statically, he is redirected to the guest portal and get the configured access to the network as configured. But he cannot get IP address dynamically from DHCP server. I changed the dACL to only contain "permit ip any any" and he managed to get the IP. Even after I edited ACL and added entries which allowed everything (IP any any) to default gateway, DNS and DHCP servers, he didn't managed to get IP again! Also with "authentication open" command on the port, the client was able to get the IP from DHCP without any problem. my port configuration is as follows:

 

switchport mode access
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

2 Replies 2

ciscoworlds
Level 4
Level 4

Hi again;

After all, I assigned IP address statically and then configure a dot1x authentication rule, put it up at the top of the table (before MAB) and as seen above, gave priority to dot1x over MAB on that switch port. but the traffic matched MAB and not Dot1x rule. I disabled MAB rule on the ISE and after that point the traffic matched Dot1x on ISE. After re-enabling the MAB, the traffic again matched MAB rule again. my Dot1x rule has been configured as this:

 

if **(Wired_802.1X OR Wireless_802.1X) ---- **Allow Protocols: PEAP-ONLY

 

Am I missing something?

Thanks everyone for your cooperation on this!!!

I solved it by myself. Despite that I used this method on ISE 2.0 successfully but now with ISE 2.2, it doesn't work this way (I downgraded switch IOS to a version mentioned on Cisco official website too). As I knew the combination of "authentication priority dot1x mab"and "authentication order mab dot1x " on a switch port should gave priority to dot1x, while any dot1x start/request packet is received by switch port. But it seems that this behavior is changed either on ISE or switch IOS. 

I only changed authentication order to dot1x then mab and it worked well.