Doing dot1x on LAN with ISE and IBNS 2.0 mode there are 3 ways setting up parameters as vlan and ACL during authorization as far as I understood. 1) you can just return the good radius arguments in your ISE response without using any service template. 2) you can define a service template locally on the switch and return its name in a subscriber:service-name=xxx cisco-av-pair argument. 3) you can define the service template on the ISE in a service-template type authorization profile and return a download-request=xxx cisco-av-pair argument which will instruct the switch to download the service template to use from the ISE. Now my question, and what is not clear to me, is what is the advantage, if any, of using service templates as in 2) and 3) compared to returning argument directly as of 1) ?? Or what is the limitations of a method compared to another ? I read something about CoA but this is not clear. I of course understand that for handling the critical vlan case or for a local control policy you will need service template on the switch, but this is something else. Also doing some test on a 3650 switch running fuji 16.9.4 the voice vlan activation with a locally defined service template does not seem to work: service-template ST_VOICE description == Voice vlan == voice vlan I will probably open a TAC case for this.
... View more