Hi   I've looked at guestshell on Catalyst 3ks running as L2 switches before. To get Guestshell running I used a virtualportgroup interface and assigned it the Switch's L2 management IP address (using ip unnumbered). In your environment the config would look something like: interface VirtualPortGroup0  ip unnumbered Vlan226 ! app-hosting appid guestshell  app-vnic gateway0 virtualportgroup 0 guest-interface 0  app-default-gateway 172.23.226.1 guest-interface 0 !   hth Andy ... View more

Thanks for posting this. I ran into the same issue with PI 3.6 patch 1 - primary server in an ha pair ground to a halt with 100% usage on  /dev/mapper/smosvg-varvol. I contacted TAC who referred me to this thread - the fix worked for me. cheers Andy ... View more

Hi   Yes, I see the same problem with WoL enabled devices. I increased the authentication restart for 802.1x fail/no response to 65535 seconds to decrease the amount of messages - see below.   event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 3 retry-time 30 priority 10 .. event authentication-failure match-first .. 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authentication-restart 65535 10 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authentication-restart 65535 .. event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x retries 3 retry-time 30 priority 10   when I was looking at a powershell script to whitelist pxe imaging clients (through the ISE API) I considered using the same script to whitelist WoL PC's (i.e run the script on pc shutdown to whitelist the PC mac and run the script again on pc boot to remove the PC from the whitelist). Seemed way too complicated so I dropped that idea. Script used for whitelisting is available here:   https://github.com/AdamGrossTX/PowershellScripts/tree/master/CiscoISE/External%20RESTful%20Service%20(ERS)%20API   hth Andy ... View more

Hi   I assume you have dhcp snooping enabled but are you saving the DHCP snooping binding table so that it survives a switch reload?   I've seen similar issues with Xerox MFDs that wouldn't renew their DHCP lease after a switch reload (and so wouldn't appear in the switch's dynamically recreated DHCP snooping binding table).   To resolve this, the switch's binding table was saved to flash:   ip dhcp snooping database flash:<FILENAME>   hth Andy ... View more

Hi   If you can't access the switch terminal and have snmp enabled, you can try using "snmpset" to upload a new startip-config to the switch and then reload it.   Details are here:   https://www.ciscozine.com/send-cisco-commands-via-snmp/   I've used snmpset in the past to reload switches - only catch was that the soucre ip used to send the command must be permitted in any snmp acl on the switch.   hth Andy ... View more

Hi The authentication failure should set the IdentityAccessRestriction attribute to "true". You can use this attribute in your authorization rules (have you checked if there are any exemptions in your authroization policy?). You said that the current setup used to work but has now stopped. What version of ISE are you using and has it been patched recently? hth Andy ... View more

Hi   Do any of your ISE policies use the IdentityAccessRestricted flag? The documentation below states that this flag would be set if an account was found to be disabled.   hth Andy https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html   User Access Restriction While authenticating or querying a user, Cisco ISE checks for the following:   •Is the user account disabled? •Is the user locked out? •Has the user account expired? •Is the query run outside of the specified login hours?   If the user has one of these limitations, the Active Directory Identifier::IdentityAccessRestricted attribute on the Active Directory dictionary is set to indicate that the user has restricted access. You can use this attribute in all policy rules. Active Directory identifier is the name that you enter for the Active Directory identity source. ... View more

I contacted Cisco Licensing - they stated that during DLC migration, all configured RTU licenses should be converted. This wasn't the case with the lanbase 3650 (with ipbase activated) so Cisco manually added the ipbase license to the smart account. Andy ... View more