Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2149
Views
0
Helpful
2
Replies

Cisco ISE Policy Set for a specific switchport

Go to solution
Anthony O'Reilly
Level 3
Level 3

‎06-21-2021 08:10 AM

Hi,

 

I've rolled out dot1x via Cisco ISE onto a customer user network. The user access switches are 2960X. The version of ISE is 2.7 Patch 2.

 

There are a few issues, specifically with a group of users. I want to created a new policy set for one user in particular and put this policy above the policy for everyone else. I want the policy to do the same as the working policy except for it to only allow a specific network port e.g. Switch5, interface Gi3/0/30. For here, they will get a test dACL that I will use for testing purposes

 

I have configured the following and enabled it but the user is still authenticating against the all users policy.

 

Unclassified : Normalised Radius : Radius Flow Type equals Wired802.1x

Network Device : Network Access : NetworkDeviceName equals switch5

Port : Radius : NAS-Port-ID equals Gi3/0/30

 

I hope all this makes sense. I've attached a few screenshot for clarification.

 

Thanks

Anthony.

 

Preview file
29 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎06-21-2021 03:28 PM

Since these two policies are doing the exact same thing (except for the dACL) could you remove the nas-port-id condition (and the dACL) to verify that you are matching on the device name.  If this match is successful, then we know that the issue is with the port id.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3
In response to Marius Gunnerud

‎06-24-2021 01:18 AM

I removed the nas-port-id and found that it was the NAD device in ISE that was configured with a different name to the real switch name (embarrassing). Thanks for your help. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marius Gunnerud
VIP
VIP

‎06-21-2021 03:28 PM

Since these two policies are doing the exact same thing (except for the dACL) could you remove the nas-port-id condition (and the dACL) to verify that you are matching on the device name.  If this match is successful, then we know that the issue is with the port id.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Anthony O'Reilly
Level 3
Level 3
In response to Marius Gunnerud

‎06-24-2021 01:18 AM

I removed the nas-port-id and found that it was the NAD device in ISE that was configured with a different name to the real switch name (embarrassing). Thanks for your help. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card