10-17-2017 01:22 AM - edited 02-21-2020 10:36 AM
Dear Experts,
Can you help to confirm that if user is trying to authenticate via wired port on 2960x but couldnt provide correct credentials, can we push back dynamic quarantine/guest vlan from ISE instead of configuring fallback vlan locally on the switch?
10-17-2017 02:13 AM
My understanding is that, we need to pass vlan information in access-reject message. can we do it using cisco ISE?
10-17-2017 02:31 AM
Attributes passed in RADIUS Access-Reject would be ignored by the switch, you need to create a new Authorization rule and pass Authorization profile that contains Access-Accept, but with a VLAN that you want the users to be put in. (You could also use the default rule)
10-17-2017 06:07 AM
10-17-2017 09:02 PM
10-18-2017 08:18 AM
You generally can't do that, except in specific scenarios with MAB
10-18-2017 10:02 AM
10-19-2017 05:52 AM - edited 10-19-2017 05:53 AM
Yes, you can do this. There is an option to continue to Authorization if Authentication fails. Click on the identity store section under the Authc policy and you should see this option. See picture below.
10-19-2017 05:53 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: