Using Cisco ISE to send a dynamic vlan to MS switches after 802.1x user authentication. Switch registers the dVlan and I see the client move on the dashboard, however the client is never made aware, and does not request a new DHCP address.
Do we need to bounce the port?
Switch firmware is latest (12.28) to rule out any bugs in 802.1x. Using Windows native supplicant.
Have you enabled Radius CoA support?
Yes we have. ISE is never sending it (validated via PCAP) only sending access-accept w/ the dVlan information.
Check out this documentation if you haven't 🙂
/CK
I have, but there is no CoA occurring, ever.
The access-accept contains the dVlan info, MS switch puts user in that vlan, but user is never made aware and therefore doesn't request new DHCP address in the new vlan.
Unless I'm missing something very obvious in ISE/Meraki (and yes, I've been over ALL their documentation).
You are going to need to open a support case for that one. It sounds like a big has been introduced into 12.28 around CoA.
I have one. They swear up and down this config should work and is supported, lots of pcaps show radius doing what it should do.
Figured I'd ask community in case they saw issues too.
And this is happening across multiple switches?
Yep. All the same MS350, some are still on 10.x firmware.