Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
5
Replies

Set tunnel type = GRE in ISE v1.2?

dal
Level 3
Level 3

‎11-02-2013 02:25 AM - edited ‎03-10-2019 09:03 PM

Hi.

I have a setup with Aerohive AP's and ISE as radius-server.

To use User Profiles in Aerohive, I need ISE to send some information back to the Access point via an Authorization Profile, namely this:

Tunnel-Private-Group-ID=(4095)

Tunnel-Type=GRE

Tunnel-Medium-Type=IP

It's pretty straight forward to set it up, but as soon as I click save, and then goes back in to the profile, the Tunnel-type has changed to VLAN.

A quick look into the logs confirm that too:

Tunnel-Type(tag=1) VLAN
Tunnel-Medium-Type(tag=1) 802
Tunnel-Private-Group-ID

(tag=1) 4095

With the result that the User Profile assignment is not working.

I have used this in ACS v5 for years, and it works like a charm.

But now I looking to move from ACS to ISE, but I need this to be in working order first.

Any ideas?

Thank you.

Labels:
0 Helpful
5 Replies 5

Charlie Moreton
Cisco Employee
Cisco Employee

‎11-04-2013 07:09 AM

How did you go about setting the Authorization Profile?

If you go to Policy > Policy Elements > Results then choose Results > Authorization > Authorization Profiles from the menu on the left.

Click the +Add button

I created a tunnel with the name AEROHIVE_TUNNEL and the Access Type set to ACCESS_ACCEPT

Choose the DACL to which the policy should be applied and set the Advanced Attributes.

As you can see in the screenshot the Radius:Tunnel-Private-Group-ID = IdentityGroup:Name can be changed manually by deleting the word Name and replacing it with 4095:

You can also change the Tag ID:

Once you submit, you'll receive confirmation of the save.  Leave that screen and go back in to confirm the Authorization Profile:

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

dal
Level 3
Level 3
In response to Charlie Moreton

‎11-04-2013 01:28 PM

Hi, and thanks for answering.

I did exaclty as you show in your attached pictures.

But the settings changes as soon as I submitted.

But I got it working in the end. What I did was to go back and EDIT the Auth Profile.

Then the settings stuck.

Strange. Maybe a case of usupported browsers or something.

I have another question for you: Why do you have the DACL in there? Does Aerohive support that? Isn't that cisco-av-pair?

Aerohive didn't support that before. Things can have changed now, though.

Thanks again.

- Dal

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to dal

‎11-04-2013 01:36 PM

No, you're right.  The DACL shouldn't be in there.

What browser were you using?

0 Helpful

dal
Level 3
Level 3
In response to Charlie Moreton

‎11-04-2013 01:57 PM

Firefox v24

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to dal

‎11-04-2013 02:04 PM

Hmmm Firefox up to v24 is supported.  v25 broke a few things, but 24 should work OK.  Might want to check some logs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents