Thank You for the response. This should solve our use case.

I will also go through your presentation in detail.

Is it dependent on version of ISE too ?

Considering this PPT is from Cisco Live 2015 Melbourne I am sure ISE 1.4 will support this feature. 

You should be able to define the authorization condition with the VLAN attributes from ISE 1.2 version.

Hi,

I am trying to make the above work in 3560 15.2.(2)E but I cannot configure "access-session attribute" command.

Although "authentication display new-style" worked properly.

Please see below configuration.

show version Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 15.2(2)                                                                                        E1, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Tue 18-Nov-14 16:52 by prod_rel_team ROM: Bootstrap program is C3560C boot loader BOOTLDR: C3560C Boot Loader (C3560C-HBOOT-M) Version 12.2(55r)EX11, RELEASE SOFT                                                                                        WARE (fc1) BLRPK5B39LOTUS uptime is 6 weeks, 2 days, 4 hours, 53 minutes System returned to ROM by power-on System restarted at 05:30:33 UTC Mon Jul 18 2016 System image file is "flash:/c3560c405ex-universalk9-mz.152-2.E1.bin"

(config)#access-session ?   acl                 Application of ACLs on access-session   cache               Set cache configuration   interface-template  Set the interface-template sticky globally   mac-move            Set required action when a MAC move is detected   monitor             Apply template to monitor access sessions on the port   template            Set the template to be applied to all ports   tunnel vlan         Set Tunnel Vlan Id

I am seeing the same result on 4500 SUP 8E

show version Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch  Software (cat4500e                                                                                        s8-UNIVERSALK9-M), Version 03.06.04.E RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Sat 13-Feb-16 12:30 by prod_rel_team

#access-session ?   acl                 Application of ACLs on access-session   cache               Set cache configuration   interface-template  Set the interface-template sticky globally   mac-move            Set required action when a MAC move is detected   monitor             Apply template to monitor access sessions on the port   template            Set the template to be applied to all ports   tunnel vlan         Set Tunnel Vlan Id   vlan-assignment     set the partial vlan attrib setting globally

I ran into this link which says that this feature should be supported from 15.2(3)E.

802.1X Authentication Services Configuration Guide, Cisco IOS Release 15E - VLAN RADIUS Attributes in Access Requests …

I was able to make this work with 3.7. image on 3850.

'Equals' or 'Matches' did not work.

Also the above commands are changing the legacy dot1x configuration to the new style configuration.

According to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-vlan-dot1…   this feature is only supported in Cisco IOS 15.2(3)E and there is no mention of this in any other  external documentation. Is it supported in 16.6.3 ?

We were having this same issue on our 9300 running 16.6.2. Upon looking at the captures it seems the vlan attribute is being sent but not how the document specifies it. Initially I tried adding the Cisco-AV-Pair option to my rule to test if it would work but had no access. While I was preparing this post, I checked again and now ISE is picking up this options and devices are authenticating.