We are having an issue where IP device tracking is not being properly updated on our 2960-24TC-L switches. In ISE the machine will pass authentication, a vlan will be assigned, and DACL will be assigned but the machine will have no access to the network. A sh auth sess int on the switch port will show the auth success, proper vlan assignment, and proper DACL but if you do sh ip device tracking int on the switchport it will show the port as inactive and still in the pre auth vlan. If you do a sh ip access-lists on the switch port it will show the pre auth DACL on the port and not the one shown in sh auth sess. If you do a clear ip device tracking on the switch port the machine will get the correct vlan, DACL, and the machine will have network access. We have seen the issue on 3560 and 4506 but much less than on the 2960's. We are running 15.0(1) SE 2 on the 2960's and 1.1.3 patch 6 on ISE. We have tried upgrading the switch code to SE 3 and we have tried downgradeing to 12.2.(55)SE7 and still got the same results. Any suggestions would be greatly appreciated.
Make sure that you have defined Security Group Access (SGA)-enabled devices in Cisco ISE to process requests from SGA-enabled devices that can be part of the Cisco SGA solution. Any device that supports the Security Group Access solution is an SGA-enabled device.
SGA devices do not use the IP address. Instead, you must define other settings so that SGA devices can communicate with Cisco ISE.
If you are importing network devices from previous release then You cannot import network devices in Cisco ISE, Release 1.2 that are exported in previous Cisco ISE, Releases 1.1 and 1.1.x as the import template for these releases are different.
You can import a list of device definitions into a Cisco ISE node using a comma-separated value (CSV) file. You must first update the imported template before you can import network devices into Cisco ISE. You cannot run an import of the same resource type at the same time. For example, you cannot concurrently import network devices from two different import files.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :