cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Reconfigure the Authorization Profile

156
Views
0
Helpful
0
Comments

 

Description of the issue

The expected VLAN is not pushed to the Switches. When a virtual network is created and an IP address pool is associated in DNAC, the corresponding VLAN and SVI interfaces are created on the Switches. After the users are authenticated, an appropriate VLAN ID is allocated.

 

Possible causes

  • Incorrect configuration in DNAC or ISE
  • Switch provisioning failure

 

Solution

Check the configuration of the authorization profile on DNAC, ISE, and on the Switch.

 

Verify on DNAC

Verify whether the IP Address Pool has been created
  1. In Cisco DNA Center, go to Network Settings under Design.
  2. Choose Global from the left pane.
  3. Select IP Address Pools.
    Check whether the IP address pool appears in the list.

 

Verify whether the IP address pool is reserved under the appropriate site
  1. In Cisco DNA Center, go to Network Settings under Design.
  2. Choose the site under Global in the left pane.
    Check whether the IP address pool appears in the list.

 

Verify whether the virtual network has been created in Cisco DNA Center
  1. In Cisco DNA Center, go to Network Settings under Design.
    Check whether the virtual network is listed in the left pane.

 

Verify whether the IP address pool is associated with the virtual network
  1. In Cisco DNA Center, go to Fabric under Provision.
  2. Select the Fabric Domain and select the required Fabric-Enabled Site.
  3. Click Host Onboarding.
  4. Choose the virtual network.
  5. Verify whether the associated IP address pool in the virtual network has the check box selected.

 

If the issue is seen only on one switch, verify the provisioning status of the switch
  1. In Cisco DNA Center, go to Devices under Provision.
  2. In the Device Inventory, check the Provision Status of the Switch. The status should be Success.

 

Verify on ISE

Verify the authorization profile configuration on ISE

The authorization profile is used to associate an IP address pool to an endpoint or user as part of the authorization rule.

  1. In Cisco Identity Services Engine, navigate to PolicyPolicy ElementsResultsAuthorizationAuthorization Profiles.
  2. Select the authorization profile.
  3. Verify whether the VLAN check box is selected under Common Tasks and the ID or Name field is configured with a VLAN ID or VLAN name.

 

Verify on the Switch

Use the show run command to check whether the VRF, VLAN, and SVI interfaces are created

Following is a sample output of the show run command. This output displays a VRF, VLAN, and SVI interface.

Device# show run
vrf definition WIRED
 !
 address-family ipv4
 exit-address-family
!
.
.
.
.
.
vlan 1021
 name 20_20_20_0-WIRED
.
.
.
.
.
interface Vlan1021
 description Configured from apic-em
 mac-address 0000.0c9f.f45c
 vrf forwarding WIRED
 ip address 20.20.20.254 255.255.255.0
 ip helper-address 172.18.202.3
 no ip redirects
 ip local-proxy-arp
 ip route-cache same-interface
 no lisp mobility liveness test
 lisp mobility 20_20_20_0-WIRED
!

 

Verify whether an appropriate VLAN has been allocated to the user
Device# show authentication sessions interface gi details
              Interface:  GigabitEthernet
                 IIF-ID:  0x10C8CBAA
            MAC Address:  0050.5682.87b8                           
           IPv6 Address:  Unknown
           IPv4 Address:  20.20.20.0
              User-Name:  00-50-56-82-87-B8
                 Status:  authorized                               
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  in
        Session timeout:  N/A
      Common Session ID:  265DA8C00000001CD33840F8
        Acct Session ID:  0x00000012
                 Handle:  0x55000012
         Current Policy:  POLICY_Gi
  Local Policies:
           Idle timeout:  65536 sec
  Server Policies:
             Vlan Group:  Vlan: 1021                               
              SGT Value:  14                                       
  Method status list:
         Method           State
          dot1x           Stopped
            mab           Authc Success  

 

Check whether the VLAN shows up in the output of the show interface command

For a port which has static SGT instead of dot1x and no authentication, the VLAN should show up in the output of the show interface <interface-name> command.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards