Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
0
Helpful
3
Replies

Move a Authorization User to isolate VLAN

Go to solution
quangle1993
Level 1
Level 1

‎11-14-2018 01:42 AM - edited ‎03-11-2019 01:51 AM

Hi all,

While using ISE, i'm facing needed that disconnect a compliant user or guest user. I found that i can go to Operations > Live Sessions > Show CoA Action to do this. But here is the problem :

If i choose > Terminate Session. User is disconnected but they can get access after a while (Immediately in my case)

If i choose > Terminate Session with port shutdown. The port is shutdown and i can't enable this port from ISE cause RADIUS not support this. If they go to another port they still can access network!

 

So, is there any way for me to disconnect/isolate a client, they have to meet and ask for approve from me to re-connect to network. And i only need to configure on ISE.

My idea i move that user to profile that have DACL is deny any any, and cause this is user-based so whatever port that user connect, they still in isolated VLAN with deny any any ACL. But i don't know how to do this. Any idea how to configure it on ISE ?

 

Thanks,

Quang

0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
quangle1993
Level 1
Level 1
In response to Jason Kunst

‎11-14-2018 03:21 PM

Hi Jason,

 

Thanks alot, But I can only move Internal User to Black_List. How can I move a AD User to Black list user group ? Or I have to move their MAC to black list endpoint group ?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to quangle1993

‎11-14-2018 03:26 PM

The endpoints are blacklisted not the user
0 Helpful
Customers Also Viewed These Support Documents