cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
511
Views
1
Helpful
3
Replies

Unable to assign VLAN/DACL from ISE to Cisco switch

ISEe
Level 1
Level 1

I've been able to assign a VLAN/DACL from ISE to a 3750X but have lost the ability recently. Trial and error but I'm not sure what I'm missing. Can initiate reauthentication from ISE and watch the client connect again but CoA not assigning the VLAN/DACL in the Authorization profile it's getting. Running 3.2p4. Any suggestions would be appreciated. Thank you

Result

User-NameLAB
ClassCACS:AC1001010000003D08BE84D7:ise3/501715659/73
Tunnel-Type(tag=1) VLAN
Tunnel-Medium-Type(tag=1) 802
Tunnel-Private-Group-ID(tag=1) 100
EAP-Key-Name0d:66:10:7f:5e:77:57:8c:6f:ef:db:c2:cf:57:38:74:46:44:10:eb:2f:3c:18:f8:5b:d6:90:d2:a2:2c:18:69:f8:fb:51:4f:13:2e:3a:4c:6a:d9:77:85:ed:09:25:7d:11:62:cd:f7:81:5d:2f:be:a8:26:a1:f7:d1:d9:cf:2e:ce
cisco-av-pairACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
MS-MPPE-Send-Key****
MS-MPPE-Recv-Key****
LicenseTypesEssential license consumed.

 

3750X#show access-session int gi 1/0/20 de
Interface: GigabitEthernet1/0/20
MAC Address: 0050.569c.0c42
IPv6 Address: Unknown
IPv4 Address: 172.16.50.8
User-Name: LAB
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 157395s
Common Session ID: AC1001010000003D08BE84D7
Acct Session ID: 0x000001FA
Handle: 0x3000002C
Current Policy: ISE-POLICY

Server Policies:
Security Policy: None
Security Status: Link Unsecure

Method status list:
Method State

dot1x Authc Success
mab Stopped

 

CoA is configured on switch. NAD in ISE is using the same radius key on port 1700.

aaa server radius dynamic-author
client 172.16.1.11 server-key RADIUS

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

First guess: You forgot to configure "aaa authorization network ..."

View solution in original post

3 Replies 3

PradeepSingh
Level 1
Level 1

Check logs on switch. Are you sure vlan 100 exist on the switch ?

First guess: You forgot to configure "aaa authorization network ..."

You nailed it! Thank you!!!

I had made changes when testing SGT's and had this line.

aaa authorization network cts-list1 group NAC

added: aaa authorization network default group NAC