Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE / IBNS 2.0 and service template


Doing dot1x on LAN with ISE and IBNS 2.0 mode there are 3 ways setting up parameters as vlan and ACL during authorization as far as I understood.


1) you can just return the good radius arguments in your ISE response without using any service template.

2) you can define a service template locally on the switch and return its name in a subscriber:service-name=xxx  cisco-av-pair argument.

3) you can define the service template on the ISE in a service-template type authorization profile and return a download-request=xxx cisco-av-pair argument which will instruct the switch to download the service template to use from the ISE.


Now my question, and what is not clear to me, is what is the advantage, if any, of using service templates as in 2) and 3) compared to returning argument directly as of 1) ?? Or what is the limitations of a method compared to another ?


I read something about CoA but this is not clear.


I of course understand that for handling the critical vlan case or for a local control policy you will need service template on the switch, but this is something else.


Also doing some test on a 3650 switch running fuji 16.9.4 the voice vlan activation with a locally defined service template does not seem to work:


service-template ST_VOICE
description == Voice vlan ==
voice vlan


I will probably open a TAC case for this.




Everyone's tags (2)