https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079108#M204675 <HTML><HEAD></HEAD><BODY><P>Hi Neil,</P><P></P><P>To add to what Tarik said, I would also describe that can be used with whatever radius server you have.</P><P>in ISE (Tarik, correct me if I am wrong) the devices and getting profiled automatically depending on many attributes and the device can be distinguished if it is an ip phone, laptop, ipad...etc. and based on that the VLAN assignmed is applied.</P><P></P><P>With other radius servers you need to statically specify what VLANs should the users be put in. The VLAN assignment is being done based on username the user is using OR the mac address the device provides.</P><P></P><P>Two weeks ago I implemented the same scenario using cisco ACS 5.3 radius server where users have multiple AD users and some other devices (ip phones, network printers...etc) and the VLAN assignment happens based on the AD group or the type of the device.</P><P>I manually added the mac addresses of priners in a group, ip phones in different group..etc. and I configured the ACS to assign the VLAN based on that gorup. with ISE what I know is it detects the device type automatically (you have to configure a profile for device types though) and based on that it assigns a VLAN.</P><P></P><P>You need to notice one thing though, if you are configuring the switch for the dot1x authentication you need to add a configuraiton in the radius in order to tell the switch to use teh VOICE vlan (not DATA vlan) for the phones. Otherwise the phone will use DATA VLAN when authenticated and not the voice VLAN which makes only one device; the phone or the PC attached to it, to work.</P><P></P><P>If you use cisco switches, you need to return to cisco-av-pair attribute with value "<STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif; text-align: justify;">device-traffic-class=voice</STRONG>" to the phones when they authenticate. I used this with non-cisco phones and it works like a charm.</P><P></P><P>Let us know if there is anything else you need to know about dynamic vlan assignment. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I hope that was useful to you.</P><P></P><P>Amjad</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Sun, 27 Jan 2013 13:01:55 GMT Amjad Abdullah 2013-01-27T13:01:55Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079106#M204577 <P>All,</P><P></P><P>I'm looking for a means to secure interfaces configured in an admin vlan.</P><P>In an ideal world the interface would be configured with the admin vlan if the device is somehow identified (not necessarily authenticated). In the event that the device isn't identified it fails back to a standard device vlan.</P><P></P><P>I've had a look at VMPS but understand that this is a dying feature and would be a poor idea to implement it. The alternative appears to be passing a vlan tag as a RADIUS attribute.</P><P></P><P>I'd be keen to know if anybody can make any suggestions as to how I could implement this? Ideally it needs to be simple with fewer complexities to go wrong.</P><P>To add to this, devices are hanging off of IP phones which aren't Cisco.</P><P></P><P>Any help would be appreciated.</P><P></P><P>Neil&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 02:59:22 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079106#M204577 2019-03-11T02:59:22Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079107#M204605 <HTML><HEAD></HEAD><BODY><P>ISE would be your best bet, you can configure MAB on the the ports and use profiling to profile the devices. So if a phone is profiled they get assigned to the voice vlan, the client behind it can be identified via dhcp attributes..etc. Then you can assign them to the admin vlan, while setting the default vlan on the port.</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Fri, 18 Jan 2013 07:09:13 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079107#M204605 Tarik Admani 2013-01-18T07:09:13Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079108#M204675 <HTML><HEAD></HEAD><BODY><P>Hi Neil,</P><P></P><P>To add to what Tarik said, I would also describe that can be used with whatever radius server you have.</P><P>in ISE (Tarik, correct me if I am wrong) the devices and getting profiled automatically depending on many attributes and the device can be distinguished if it is an ip phone, laptop, ipad...etc. and based on that the VLAN assignmed is applied.</P><P></P><P>With other radius servers you need to statically specify what VLANs should the users be put in. The VLAN assignment is being done based on username the user is using OR the mac address the device provides.</P><P></P><P>Two weeks ago I implemented the same scenario using cisco ACS 5.3 radius server where users have multiple AD users and some other devices (ip phones, network printers...etc) and the VLAN assignment happens based on the AD group or the type of the device.</P><P>I manually added the mac addresses of priners in a group, ip phones in different group..etc. and I configured the ACS to assign the VLAN based on that gorup. with ISE what I know is it detects the device type automatically (you have to configure a profile for device types though) and based on that it assigns a VLAN.</P><P></P><P>You need to notice one thing though, if you are configuring the switch for the dot1x authentication you need to add a configuraiton in the radius in order to tell the switch to use teh VOICE vlan (not DATA vlan) for the phones. Otherwise the phone will use DATA VLAN when authenticated and not the voice VLAN which makes only one device; the phone or the PC attached to it, to work.</P><P></P><P>If you use cisco switches, you need to return to cisco-av-pair attribute with value "<STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif; text-align: justify;">device-traffic-class=voice</STRONG>" to the phones when they authenticate. I used this with non-cisco phones and it works like a charm.</P><P></P><P>Let us know if there is anything else you need to know about dynamic vlan assignment. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I hope that was useful to you.</P><P></P><P>Amjad</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Sun, 27 Jan 2013 13:01:55 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079108#M204675 Amjad Abdullah 2013-01-27T13:01:55Z https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079109#M204766 <HTML><HEAD></HEAD><BODY><P>Amjad,</P><P></P><P>You are correct. </P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Sun, 27 Jan 2013 19:33:16 GMT https://community.cisco.com/t5/network-access-control/dynamic-vlan-assignment/m-p/2079109#M204766 Tarik Admani 2013-01-27T19:33:16Z