07-16-2018 03:31 AM
Have had an ISE deployment running for some time performing DOT1x wired authentication, authorisation and profiling. Had some issues with 3650 switches but traced that to them not running in install mode. Recently we have upgraded the ISE to 2.4.0.357 and now clients all fail authentication and are rejected. No policies have changed only the code version and patch. Anyone had any issues with 2.4 and 3650 switches ?
07-16-2018 09:44 AM
Recommend open TAC case to troubleshoot.
07-17-2018 11:26 AM
What did you find out about bundle vs install mode? I have quite a few issues with regard to profiling on 3650s with the latest 2.4p1.
Thanks,
C.
07-17-2018 11:52 AM
Hi Christopher, Had problems with 3650s in bundle mode where they would get stuck during posturing of the client. Would see switch authentication complete but never apply the redirect access list for the ISE posture check. Installled 3.6.6 in install mode and no problem.
Also found an issue with ISE 2.4 where if you are identifying network device as all locations but have that switch in a location sub group it will not match the profile set.
07-17-2018 02:59 PM
I did run in to the sub group behavior you mentioned during an ACS to ISE migration. Switching from "in all locations" to "contains all locations" fixed it up though.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: