We run ISE version 2.4We have a DACL that gets assigned to specific MAC addresses to restrict their access to the LAN.One of the entries in the DACL is as below to allow the host to pick up a DHCP addresspermit udp any eq bootpc any eq bootpsWhen we ...
We are migrating from our ASA5520's to FPR-2110 for Anyconnect.
I have set up a standalone gateway which I can connect to and authenticate against using certificates.
I have another site where I am running the same config only there are two FPR-2110'...
We run 3850 switch stack to support our users, we run MAB authentication on the switch to authorize devices, they run IOS version 16.3.6
We see some scenarios where people connect a network dongle to the switch but cannot gain access to the network.
...
I have created an EEM script that auto update the description of a port base don the attached device.
My script works fine if I clear the lldp table
However if I remove and re-add a device I get an error
I am not going to include the entire scrip...
I have uploaded projects and devices to the SanBox via script to https://devnetapi.cisco.com/sandbox/apic_em/api/v1/pnp-projectWhen I log on to the SanBox lab these projects are not visible, are these different environments?Is it possible to create p...
I have been doing more discovery with this and I can get it to work but not consistently.First I took the Standard PERMIT_ALL_TRAFFIC DACL and applied that to the Auth Profile, this allowed the client to connect, was authorized and downloaded the "pe...
CoA works just fine for all sites except this one.I have other sites that use DACL's without any issue, some have a local ISE server and some use an ISE server behind a DMVPN tunnel.This site is the only one behind a Checkpoint P2P tunnel and we cann...
Idid not have that command, I added it but no difference.This is my AAA config:aaa new-model!aaa group server radius ISERserver-private A.B.C.D key 7 045F0E251vvvvv31server-private A.B.C.D key 7 070B24vvvvvv102Fip radius source-interface Vlan0x0!aaa ...
We allow all traffic over the tunnel between our two networks.Collected some more debugs, seems that when a DACL is applied it cycles between Access Challenge and Access Request.10.241.100.15 is the Access Switch and 10.241.100.15 is the ISE server.W...
The Access Switch is a C3850 running 16.12.07We have sites behind a DMVPN tunnel that work perfectly.The two sites we have behind a VPN managed by Checkpoint gateways does not work.ISE logs show auth was successful but if you look on the switch the p...
