Hi All,
I have MS Switches on 14.33.1
MAB access policy below
My requirement is to have a fail open " when there is an outage on ISE, the port need to set to open with no 802.1x"
that is why I have my critical auth vlan as the data vlan. in my case is vlan 2
My problem it has been for a long time now is that even though ISE is sending Radius accept "I see the logs on ISE " , Meraki port is getting put in guest vlan
It the right policy been applied?
YES !
How is your policy result configured?
Do you mean the Cisco ISE policy ?
Nope, the authorization profile. Under Ploicy > Policy Elements > Results > Authorization > Authorization Profiles
Below
If you want a specific VLAN why are you not overriding the VLAN on your Authorization Profile?
Dynamic VLAN Assignment
MS switches can dynamically assign a VLAN to a client device by configuring the switchport to use the VLAN ID received via the RADIUS attribute Tunnel-Pvt-Group-ID. It may be necessary to perform dynamic VLAN assignment on a per computer or per user basis. This can be done on your wired network via 802.1X authentication (RADIUS).
Im not trying to move the Vlan,
the port needs to stay in its Vlan 2 when it gets Radius accept.
but in my case, the switch is sending the port to the guest vlan instead
I don't know the answer.
It looks like you have to have RADIUS testing enabled, and if that fails, it triggers the critical auth vlan.
My critical auth Vlan is the same as my data vlan. we had some issues on the ISE before but there was no impact on the port.
my issue is the guest vlan
thank you!