08-30-2017 02:43 AM
Team,
I would like to find out following is possible for ISE posture with non-compatible switch like 2950:
Setup:
Goal:
Suggest Solution:
Regards,
Leslie
Solved! Go to Solution.
03-05-2018 06:02 AM
Hi Chyps,
But still SNMP COA wasn't working as expected ,because it's not able detect the port correctly.
We cant use this currently - 1.3.6.1.2.1.2.2.1.7.$port
The Nas port shows as 50002 and SNMP COA send to port 0. It wasnt able to send the $port SNMP COA.
15054 | Sending SNMP set : - 1.3.6.1.2.1.2.2.1.7.0 = 2 | |
15054 | Sending SNMP set : - 1.3.6.1.2.1.2.2.1.7.0 = 1 |
Can you help us on fixing this
regards
hasitha
03-05-2018 06:24 AM
Please post/email copy of your NAD Profile as well as Live Log details on value of NAS-Port and NAS-Port-Id sent by switch.
03-05-2018 06:33 AM
03-05-2018 07:34 AM
Note that 3rd-file is same as first.
Since the switch itself is sending value of NAS-Port-Id = 0, there is not much ISE can do with this value. I know in later IOS releases there are options to set this manipulate the value for this attribute, but may not have option to change in cat2950 12.1.x code.
The alternative is NAS-Port. There is a separate issue where value is not same as interface index. We are looking at a workaround, but cannot discuss in public forum. I suggest work with Cisco account team regarding potential enhancements and continue any further discussion related to beta code in beta support forum.
03-05-2018 08:34 AM
03-11-2018 07:58 AM
Per separate emails, this will be addressed in ISE 2.4 for Cisco switches by allowing modification of the NAS-Port value to match the SNMP ifIndex.
03-16-2018 04:48 AM
Hi Chyps,
If possible ,please make the the change to address SNMP ifindex values as we wanted, since different switches may have different SNMP ifindex values.
eg-5000X to 0000X
regards
Hasitha
03-16-2018 05:43 AM
Hasitha,
I have been working with Aruna internally on this configuration and this was the conclusion provided to Aruna (and assume Aruna has passed on to you). In any case, this change has not been committed and will require enhancement. Please continue to work with Aruna on this opportunity.
Regards, Craig
03-19-2018 04:49 AM
Hi Chyps,
thanks for the quick reply. We have another concern with 2950G switches.
How can we give access for guest users.
Switch Ports were configured with dot1x and doesn’t support MAB(mac authentication bypass) feature on the ports.
So how can we get captive portal using DHCP/DNS based Redirect method or using anyother method.
Can you tell us any workaround for guest user authentication.
regards
Hasitha
03-27-2018 05:12 AM
Hi All,
We have seen on the Radius Packet there is another attribute VSA Cisco-NAS-port=FastEthernet0/2*. But there is no place on ISE where we can use it.
Is it Possible to create a Radius Attribute map and get VSA Cisco-NAS-Port mapped to NAS-Port-Id.
Where NAS-Port-Id = FastEthernet0/2*.
So then we can use NAS-port-ID SNMP COA?
03-27-2018 05:17 AM
Seems like this is a new question? Please ask in new thread with proper subject
03-27-2018 05:21 AM
We are checking is there any work around for 2950g posture check up..so that is why have asked on the same loop.
<<Extraneous content blocked>>
03-27-2018 05:48 AM
Currently no. The updated CoA field is specific to IETF RADIUS attributes. As discussed internally, the 2950 uses a different scheme than other Catalyst switches like 2960 for ifIndex. It was too late for ISE 2.4 to make further changes to the handling for NAS-Port-Id translation. Please continue to work with PM to help prioritize requirement for 2950.
Also, I have deleted extraneous links soliciting unrelated apps. The Community forum should not be used for the purpose of random advertising.
03-27-2018 06:05 AM
thank you for the quick reply.
I thought we can manipulate that NAS-port ID attribute with VSA-Cisco NAS port. Seems not.
Sorry for the inconvenience.
07-15-2018 11:13 PM
Hi guys,
meet same question, so did you resolve it, my customer is make me carzy that they do not allow change access 2950 sw, but we must do this NAC project, thank you very much!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide