Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ISE Authorization Policy Not Working (Common issues)

 

 

Introduction:

This Document discuss some common issues which user face on daily basis.

 

Operating Condition:

This issue applies to standard user authorization sessions in a wired environment.

 

Issue:

DHCP traffic is getting blocked.

 

Possible Cause:

The preauthorization ACL could be blocking DHCP traffic.

 

Possible Resolution:

 

  • Ensure that the Cisco IOS release on the switch is equal to or more recent than the Cisco IOS Release 12.2.(53)SE.
  • Ensure that the identity group conditions are defined appropriately.
  • Check for the client machine port VLAN by using show vlan on the access switch. If the port is not showing the correct authorization profile VLAN, ensure that VLAN enforcement is appropriate to reach out to the DHCP server. If the VLAN is correct, the preauthorization ACL could be blocking DHCP traffic. Ensure that the preauthorization DACL is as follows:

 

DACL.png

 

  • This is for URL redirect

 

url redirect.png

 

  • This is for guest portal

 

guest prtal.png

 

  • This is for posture communication between NAC agent and ISE (Swiss ports)

 

swiss port 1.png

 

  • This is for posture communication between NAC agent and ISE (Swiss ports)

 

swiss port 2.png

 

  • This is for posture communication between NAC agent and ISE (Swiss ports)

 

swiss port 3.png

 

  • Ensure the session is created on the switch by entering show epm session summary. If the IP address of the session shown is "not available," ensure that the following configuration lines appear on the switch:

 

ip dhcp snooping vlan 30-100

ip device tracking

Reference:

ISE Troubleshooting Guide

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 03:50 AM
Updated by:
 
Labels (1)
Contributors