Hello,

We are running  17.06.03 version. I can not tell if this is after upgrading because we just have a fresh deploy on this version of ISE.

NA-CAN-MTL-IDF7-ACC-SW1#sho authentication sessions int gi4/0/20 det
Interface: GigabitEthernet4/0/20
IIF-ID: 0x165D8B63
MAC Address: 80e8.2c7a.7ee9
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 80-E8-2C-7A-7E-E9
Device-type: HP-Device
Device-name: MTL-PRN093
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 172798s
Common Session ID: 0C00F00A000025FFCBBEA876
Acct Session ID: 0x0000086c
Handle: 0xc100071f
Current Policy: DOT1X_MAB_POLICY

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
Vlan Group: Vlan: 150

Method status list:
Method State
dot1x Stopped
mab Authc Success

Regards,

Hani,

How does your configuration look globally and at the port level? 

Hi, but how come it works perfectly with a PC? no need to touch the DHCP. Also if you manually config the new vlan let say 150 on the switchport it gets and ip immediately from that vlan (150) so the same behavior ISE is doing pushing the vlan 150 via COA.

here is the global config:

template WIRED_DOT1X_OPEN

dot1x pae authenticator

mab

access-session host-mode multi-domain

access-session port-control auto

access-session control-direction in

dot1x timeout tx-period 7

dot1x max-reauth-req 2

dot1x timeout quiet-period 300

dot1x timeout held-period 300

authentication periodic

authentication timer reauthenticate server

service-policy type control subscriber DOT1X_MAB_POLICY

interface GigabitEthernet4/0/20
description Printer
switchport access vlan 100
switchport mode access
device-tracking attach-policy IPDT_POLICY
no logging event link-status
storm-control broadcast level 50.00
storm-control multicast level 30.00
storm-control action trap
source template WIRED_DOT1X_OPEN
spanning-tree portfast
ip dhcp snooping limit rate 15

Regards,

Hani,

Hi

the thread below discusses how windows 802.1x supplicant detects a vlan change

https://community.cisco.com/t5/network-access-control/dynamic-vlan-behavor/td-p/4589001

The output you posted shows that you are using mab for the printer - does the printer support 802.1x? If so, maybe the printer's 802.1x supplicant would support detection of a vlan change?

hth
Andy

suggest refer - 

IBNS 2.0 Policy and Interface Configuration

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Hello,

Yes you are right the printer only support MAB, but the policy it doing both, dot1x first then MAB. So is there something special to it should be be excluded from Trying MAB and apply a different policy on the port level to only do MAB?

Regards,

Hani,

It's not necessary; you can have the order supplier authenticate, and if it doesn't work in time, move to MAB. Could you make sure you have policies or a trusted MAC address-based authentication in place? What is the version of IOS XE?

HI,

Version  17.06.03, yes we have policies in places. see attachment.

Regards,

Hani