topic 'secondary' vlan names in ISE in Network Access Control

'secondary' vlan names in ISE

mamckenn — Mon, 11 Mar 2019 03:57:44 GMT

I am planning wired ISE for large university network where authenticated users will be assigned to a default data vlan by default.

There are a few departments across the university that will require thier own vlans, usually in specific locations.

example:

'medical' vlan name is configured on access switches in a medical building, so any users in the medical group will be placed in a medical vlan on successful authentication, so they can access sensitive information.

However, If those users go to other locations, where 'medical' is not configured on the access switches they will get no network access at all.

I would like ISE to offer a 'secondary' option of the 'default data' vlan, so the authenticated user can still access core college resources+www wherever they are, even if they are not able to access specific 'medical' resources.

thanks

'secondary' vlan names in ISE

blenka — Sat, 26 Oct 2013 00:22:00 GMT

Define VLANs Based on Enforcement States

Use the following command lines to define the VLAN names, numbers, and SVIs based on known

enforcement states in your network. Create the re

spective VLAN interfaces to

enable routing between

networks. This can be especially helpful to handle

multiple sources of traffic passing over the same

network segments—traffic from both PCs and the IP phone through which the PC is connected to the

network, for example.

Note

The first IP helper goes to the DHCP server and the se

cond IP helper sends a copy of the DHCP request

to the inline posture node for profiling.

vlan <

VLAN_number

name ACCESS

vlan <

VLAN_number

name VOICE

interface <

VLAN_number

description ACCESS

ip address 10.1.2.3 255.255.255.0

ip helper-address <

DHCP_Server_IP_address

ip helper-address <

Cisco_ISE_IP_address

interface <

VLAN_number

description VOICE

ip address 10.2.3.4 255.255.255.0

ip helper-address <

DHCP_Server_IP_address

ip helper-address <

Cisco_ISE_IP_address

Re: 'secondary' vlan names in ISE

Mikael Gustafsson — Sat, 26 Oct 2013 09:54:20 GMT

Maybe you could use Network Device Groups here?

You create a NDG for 'medical' switches and the use that in your authorization policy.

IF (device=medical) AND (user = AD group XX) THEN (vlan 'medical')

And if they dont mach that one they get a 'normal' on the next line.

IF (any) AND (user = AD group XX) THEN (vlan 'normal')

If you use Policy Sets you can use diffrent policies for diffrent NDGs, might be easier if the policy gets large.

Cheers

'secondary' vlan names in ISE

Tarik Admani — Sun, 27 Oct 2013 07:07:23 GMT

+5 for michael,

Also if you are using ISE 1.2 you have the ability to run policy sets. In each policy set you can break apart the sets based on location and then use your conditions to map to the authorization profile you want.

Thanks,

Tarik Admani
*Please rate helpful posts*