Dynamic VLAN Assignment: The Core Value Proposition
Without dynamic VLAN assignment, every access-layer switchport has its VLAN configured statically. Moving a user to a different department or security zone means tracking down the physical port and reconfiguring it — or deploying DHCP scope tricks that do not actually change the Layer 2 segment. At scale, this is operationally expensive and a source of configuration drift.
With dynamic VLAN assignment, ISE returns a VLAN number in the RADIUS Access-Accept message. The Cisco Catalyst 9300 reads that attribute and places the port in the designated VLAN for the duration of the authenticated session. When the session ends, the port reverts to its configured access VLAN. The same physical port can serve a corporate employee in VLAN 10, a contractor in VLAN 30, or an IoT device in a dedicated segment — based entirely on identity, not location.
This capability depends on three RADIUS attributes in the Access-Accept:
| RADIUS Attribute | Attribute Number | Value Required |
|---|---|---|
| Tunnel-Type | 64 | 13 (VLAN) |
| Tunnel-Medium-Type | 65 | 6 (IEEE 802) |
| Tunnel-Private-Group-ID | 81 | VLAN ID (number or name) |
All three attributes must be present. Missing any one of them causes the switch to ignore the VLAN assignment and leave the port in the configured access VLAN.
IOS XE Switch Configuration
The switch configuration for dynamic VLAN assignment does not require any special commands beyond a correctly configured 802.1X port. The switch is already prepared to accept VLAN attributes when 802.1X is enabled. The critical point is that the switchport access vlan command sets the default VLAN — the one used when no RADIUS VLAN attribute is returned, or when the session is unauthenticated.
Base Interface Configuration
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius server ISE-Primary
address ipv4 10.0.0.10 auth-port 1812 acct-port 1813
key ISEsecret123
aaa server radius dynamic-author
client 10.0.0.10 server-key ISEsecret123
auth-type any
dot1x system-auth-control
interface GigabitEthernet1/0/1
description Corporate Workstation
switchport mode access
switchport access vlan 10
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
mab
spanning-tree portfast
The switchport access vlan 10 here is the fallback VLAN — used only if ISE does not return a VLAN attribute. In practice, your ISE policy should always return a VLAN, so this fallback should match your most restrictive default (or your quarantine VLAN).
The authentication periodic and authentication timer reauthenticate server lines enable periodic reauthentication driven by the Session-Timeout attribute from ISE. When ISE returns a session timeout in the Access-Accept, the switch reauthenticates the endpoint at that interval. If ISE changes the authorization profile (for example, after a posture assessment), the new VLAN assignment takes effect at the next reauthentication or via CoA. CoA is covered in Article 19.
VLAN Configuration Requirements
The VLANs that ISE will assign must exist on the switch. Verify:
SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
10 DATA active Gi1/0/1, Gi1/0/2, Gi1/0/5
20 VOICE active Gi1/0/3, Gi1/0/4
30 GUEST active
40 AUTH-FAIL active
50 CRITICAL active
99 MGMT active Gi1/0/48
If ISE returns VLAN 10 and VLAN 10 does not exist on the switch, the assignment silently fails and the port uses the configured access VLAN. There is no error message on the switch and no failure in ISE — the session shows as authenticated but the endpoint is in the wrong VLAN. This is one of the most common dynamic VLAN troubleshooting scenarios, covered in Article 23 (Dynamic VLAN Assignment Not Working in 802.1X: Troubleshooting Guide).
ISE Configuration
Step 1: Verify Network Device Definition
ISE must have the Catalyst 9300 defined as a Network Access Device (NAD). Navigate to:
Administration > Network Resources > Network Devices > Add
- Name: SW1-C9300
- IP Address: 10.0.99.1
- RADIUS Authentication Settings: Shared Secret =
ISEsecret123 - Device Type: (optional, used for policy conditions)
Step 2: Create Authorization Profiles with VLAN Assignment
Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.
Create one profile per VLAN or per user group. For a standard corporate employee going to VLAN 10:
Profile: Corp-Employees-VLAN10
- Name: Corp-Employees-VLAN10
- Access Type: ACCESS_ACCEPT
- Common Tasks section:
- VLAN: check the box, enter
10
- VLAN: check the box, enter
- RADIUS Attributes preview will show:
Tunnel-Type = VLANTunnel-Medium-Type = 802Tunnel-Private-Group-ID = 10
For contractors going to VLAN 30:
Profile: Contractors-VLAN30
- Name: Contractors-VLAN30
- Access Type: ACCESS_ACCEPT
- Common Tasks > VLAN:
30
For IoT/unmanaged devices authenticated via MAB going to a dedicated VLAN (in this lab, using VLAN 30 as Guest for non-corporate MAB devices):
Profile: MAB-Guest-VLAN30
- Name: MAB-Guest-VLAN30
- Access Type: ACCESS_ACCEPT
- Common Tasks > VLAN:
30
You can also specify the VLAN by name instead of number. ISE will send the name in Tunnel-Private-Group-ID, and the switch will look up the VLAN by name. Using VLAN numbers is more reliable and avoids case-sensitivity issues.
Step 3: Configure Authorization Rules in the Policy Set
Navigate to Policy > Policy Sets. Select your existing 802.1X policy set, or create one. Under the Authorization Policy section, add rules that map user attributes to authorization profiles.
Example authorization rules (evaluated top to bottom):
| Rule Name | Conditions | Authorization Profile |
|---|---|---|
| Corp-Employees | AD1:ExternalGroups EQUALS domain.local/Users/Corp-Employees | Corp-Employees-VLAN10 |
| Contractors | AD1:ExternalGroups EQUALS domain.local/Users/Contractors | Contractors-VLAN30 |
| IP-Phones | Endpoints:EndpointProfile EQUALS Cisco-IP-Phone | Voice-VLAN20 |
| MAB-Default | NetworkAccess:EapAuthentication NOT EQUALS EAP-TLS | MAB-Guest-VLAN30 |
| Default | (catch-all) | DenyAccess |
The condition syntax in ISE 3.2 uses the Policy Conditions Library. When you create a condition based on Active Directory group membership, the format is AD1:ExternalGroups EQUALS <distinguished name>. ISE resolves group membership at authentication time by querying Active Directory via LDAP or Kerberos.
For the IP-Phones rule, ISE uses the Endpoint Profiling Database to classify the endpoint based on its MAC OUI, CDP/DHCP attributes, and HTTP user agent. The condition Endpoints:EndpointProfile EQUALS Cisco-IP-Phone matches any endpoint ISE has profiled as a Cisco IP Phone. This profiling must be enabled — navigate to Administration > System > Deployment and enable the Profiling service on the ISE node.
Step 4: Join ISE to Active Directory
For user-group-based VLAN assignment to work, ISE must query AD for group membership. Navigate to:
Administration > Identity Management > External Identity Sources > Active Directory > Add
Configure the AD join point, then under the Groups tab, add the groups you are using in authorization conditions. ISE will enumerate group membership at authentication time for each 802.1X session.
Verifying Dynamic VLAN Assignment
Switch Verification
SW1# show authentication sessions interface GigabitEthernet1/0/1 detail
Interface: GigabitEthernet1/0/1
MAC Address: c8d9.d2e1.1001
IPv6 Address: Unknown
IPv4 Address: 10.0.10.55
User-Name: DOMAIN\jsmith
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 3600s (server), Remaining: 3412s
Common Session ID: 0A00630A00000001
Acct Session ID: 0x00000001
Handle: 0x1C000001
Current Policy: POLICY_Gi1/0/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 10
Method status list:
Method State
dot1x Authc Success
The key line is Vlan Group: Vlan: 10 under Server Policies. This confirms that ISE returned VLAN 10 in the Access-Accept and the switch applied it to this session.
If this line reads only Vlan Group: with no VLAN number, ISE returned an empty or malformed VLAN attribute. If the line is absent entirely, ISE did not return any VLAN attribute.
ISE Verification
Navigate to Operations > RADIUS > Live Logs. Find the authentication for the endpoint and click the detail icon (magnifying glass). Scroll to the RADIUS Response Attributes section. You should see:
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID = 10
If these attributes are missing from the RADIUS response, check the authorization profile configuration. If they are present but the switch is not applying them, check the switch configuration and VLAN database.
Confirming VLAN Placement
After authentication, verify the endpoint landed in the correct VLAN using the MAC address table:
SW1# show mac address-table address c8d9.d2e1.1001
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 c8d9.d2e1.1001 DYNAMIC Gi1/0/1
VLAN 10 confirms the dynamic assignment worked. If the endpoint shows in VLAN 1 or the static access VLAN (10 in our base config, which happens to match — use a deliberately different static VLAN during testing to confirm), the RADIUS VLAN attribute is not being applied.
Dynamic VLAN with Multiple Host Modes
Single-Host and Multi-Domain
In single-host and multi-domain mode, ISE returns one VLAN per domain. The VLAN is applied to the port's access VLAN for the data domain, and to the voice VLAN for the voice domain (in multi-domain). The voice VLAN assignment from ISE is less common — most deployments rely on the static switchport voice vlan 20 command for the voice domain and only use ISE VLAN attributes for the data domain.
Multi-Auth
In multi-auth mode, each authenticated MAC address can receive a different VLAN. The switch maintains per-session VLAN tracking internally. This is verified by looking at multiple sessions on the same interface:
SW1# show authentication sessions interface GigabitEthernet1/0/4
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/4 001c.5804.aa01 dot1x DATA Auth 0A00630A00000010
Gi1/0/4 001c.5804.aa02 mab DATA Auth 0A00630A00000011
Gi1/0/4 0050.56a1.bb03 dot1x DATA Auth 0A00630A00000012
To see the VLAN assignment per session:
SW1# show authentication sessions interface GigabitEthernet1/0/4 detail | include Vlan
Vlan Group: Vlan: 10
Vlan Group: Vlan: 30
Vlan Group: Vlan: 10
VLAN Assignment by VLAN Name vs. VLAN Number
ISE can send the VLAN ID as either a number (10) or a name (DATA). The switch will accept both formats. However, using VLAN names introduces a dependency on the VLAN name being consistent across all switches in the network. A VLAN named Data on one switch and DATA on another — different cases — will cause failures on one and not the other.
The recommendation for production networks is to use VLAN numbers exclusively in the ISE authorization profile. Numbers are unambiguous and case-insensitive.
Interaction with Critical VLAN and Auth-Fail VLAN
Dynamic VLAN assignment applies only when ISE returns an Access-Accept with VLAN attributes. It does not interact with the Critical VLAN (used when RADIUS is unreachable) or the Auth-Fail VLAN (used when authentication fails). Those fallback VLANs are configured locally on the switch.
When ISE is unreachable, the switch uses the Critical VLAN configured on the interface, not the dynamically assigned VLAN from the previous session. When a session ends (port link down/up), the critical VLAN is assigned if ISE remains unreachable. This behavior and configuration is covered in Article 15 (Guest VLAN, Auth-Fail VLAN, and Critical VLAN in 802.1X: When and How to Use Them).
Troubleshooting
Symptom: Endpoint authenticates successfully but lands in the wrong VLAN (the static access VLAN instead of the ISE-assigned VLAN)
Cause 1: One or more of the three required RADIUS tunnel attributes is missing from the ISE authorization profile.
Fix: In ISE, navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Open the profile being applied to this endpoint. In the Common Tasks section, verify the VLAN field is checked and populated. Click the RADIUS Attributes tab to confirm all three tunnel attributes are present in the preview. Save and re-test.
Cause 2: The VLAN returned by ISE does not exist in the switch VLAN database.
Fix: Run show vlan brief on the switch and confirm the VLAN number returned by ISE is present and active. Create the VLAN if missing: vlan 10 / name DATA. Then reauthenticate the endpoint.
Symptom: show authentication sessions detail shows Vlan Group: Vlan: with no number
Cause: ISE sent the RADIUS attribute but the value was empty, or ISE sent the VLAN name and the switch could not resolve it.
Fix: Check the ISE Live Log authentication detail for this endpoint. Confirm the Tunnel-Private-Group-ID value in the RADIUS response. If it is present but empty, the authorization profile has a VLAN field checked with no value entered. If it contains a VLAN name, ensure the name exactly matches the VLAN name on the switch (show vlan brief). Switch to VLAN number to eliminate name resolution issues.
Symptom: Dynamic VLAN assignment works for 802.1X but not for MAB sessions
Cause: The ISE authorization rule for MAB sessions uses a different authorization profile, or the MAB rule hits the default deny rule before reaching the VLAN-assignment profile.
Fix: Navigate to Policy > Policy Sets > [your policy set] > Authorization Policy. Trace the authorization rule evaluation path for the MAB session. In ISE Live Logs, click the authentication detail and scroll to the Authorization Policy section — it shows which rule was matched and which profile was applied. If the MAB session is hitting a profile without VLAN attributes, update that profile or add a condition to route MAB sessions to the correct profile. Common MAB condition: NetworkAccess:AuthenticationMethod EQUALS MAB.
Symptom: After reauthentication, endpoint ends up in a different VLAN than expected
Cause: The ISE policy changed between the initial authentication and the reauthentication — for example, the endpoint was profiled after the first authentication, and the second authentication matches a more specific authorization rule.
Fix: This is often expected behavior — ISE progressively refines its policy as it learns more about the endpoint. Check ISE Live Logs for both authentication events and compare the matched authorization rule. If the VLAN change is unexpected, review the policy set for rule ordering conflicts. Authorization rules in ISE are evaluated top-to-bottom and the first match wins. A more specific rule that should match first may be positioned below a less specific catch-all rule.
What's Next
Article 15 — Guest VLAN, Auth-Fail VLAN, and Critical VLAN in 802.1X: When and How to Use Them: Dynamic VLAN assignment covers the successful authentication path, but what happens when a device cannot authenticate? Article 15 covers the three fallback VLAN mechanisms — Guest, Auth-Fail, and Critical — including when to use each, how to configure them on IOS XE, and the operational differences between them.
