Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
5
Helpful
2
Replies

MAB + dyn VLAN + Port Bounce

Go to solution
fabian.kaltenschnee
Beginner
Beginner

‎10-10-2019 02:51 AM - edited ‎10-10-2019 04:32 AM

Hola ISE Community,

 

im facing the the following problem. I need a Port Bounce on some Clients after registering with MAB.

 

I can do that easily with options in "Live Sessions"

 

image.png

Everything works fine.

But now i need this to work automatically. So i tried it with the results like this:

image.png

Output Switch:

image.png

So i get the vlan 66 but no port bounce happens.... (ignore "IPv4 Address: Unknown".. there is no DHCP Server in this VLAN, just for testing)

 

Now you. Why does the portbounce not work?

Is something wrong with this command?

image.png

 

Thank you some much for your help.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎10-25-2019 03:09 AM

@Mike.Cifelli wrote:
You av-pair looks correct to me. Have you attempted to run debug aaa coa on your NAD? I assume you have properly configured dynamic-author since it works when you trigger it manually. What are you attempting to accomplish with the desired port bounce? Are you unable to potentially profile the devices you wish to have a port bounce, auto register the mac, and setup the profile coa to do a port bounce?

https://cs.co/ise-guides

i recommend checking out the prescriptive wired guides and profiler guides

 

I don't think its going to work with port bounce, what do you expect the flow to do? If you bounce the port you come back again and get into a loop? You need to put the endpoints into a group with vlan assigned to that group

 

if device unknown, profile, assign to profile endpoint group, this will cause a port bounce

if now known endpoint group then assign authz profile with vlan

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-10-2019 05:35 AM

You av-pair looks correct to me. Have you attempted to run debug aaa coa on your NAD? I assume you have properly configured dynamic-author since it works when you trigger it manually. What are you attempting to accomplish with the desired port bounce? Are you unable to potentially profile the devices you wish to have a port bounce, auto register the mac, and setup the profile coa to do a port bounce?

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Mike.Cifelli

‎10-25-2019 03:09 AM

@Mike.Cifelli wrote:
You av-pair looks correct to me. Have you attempted to run debug aaa coa on your NAD? I assume you have properly configured dynamic-author since it works when you trigger it manually. What are you attempting to accomplish with the desired port bounce? Are you unable to potentially profile the devices you wish to have a port bounce, auto register the mac, and setup the profile coa to do a port bounce?

https://cs.co/ise-guides

i recommend checking out the prescriptive wired guides and profiler guides

 

I don't think its going to work with port bounce, what do you expect the flow to do? If you bounce the port you come back again and get into a loop? You need to put the endpoints into a group with vlan assigned to that group

 

if device unknown, profile, assign to profile endpoint group, this will cause a port bounce

if now known endpoint group then assign authz profile with vlan

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents