topic ISE and dynamic vlan assignment in Network Access Control

ISE Dynamic VLAN assignment

pj0503311 — Mon, 11 Mar 2019 06:32:12 GMT

So we're looking to implement dynamic VLAN assignment for user-end host devices and we're a little fuzzy on the details of how to get it going. We were under the assumption that ISE (PSN) speaks directly to AD to learn information about the host device such as if it's a domain device or even what OU or security group it belonged to. But after going through some documentation that turned up from a google search it would seem this is an incorrect assumption.

This document:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/sec-ieee-8021x-vlan-assign.html

alludes to it actually being that the PSN seeks information about the host device via a local RADIUS server which in turn queries AD for the desired information. At the moment our RADIUS server simply verifies with AD that the host is in fact a domain client. The doc above says we must add some "vendor-specific tunnel attributes" to the RADIUS server's query in order to have VLAN information returned to the PSN and then passed onto the switchport.

Does this mean that the PSN does not communicate directly to AD for such information as domain credentials and OU/security group membership during 802.1x authentication?

no, it does it during the

aman.diwakar — Wed, 02 Mar 2016 18:48:37 GMT

no, it does it during the authorization phase using the authorization policy sets

ISE and dynamic vlan assignment

54545 — Thu, 22 Feb 2018 12:57:05 GMT

Hi Guys ,

i have an ISE v2.1 i am try to do dynamic vlan assignment , vlan 24 for voice an vlan 26 for data ,

the traditional way is to add manually the mac address of each device into the appropriate group then use profiling to map this group to the required vlan. even with this i see all the MACs in vlan 24 , dont know what i have done wrong here :

24 xx.x.x.x.x.x STATIC Gi0/9
24 y.y.y.y.y.yy.y DYNAMIC Gi0/9

can you please explain what should be the right way to accomplish this .

also i was told there is an other intelligent way for dynamic vlan assignment , here you dont need to enter manually the mac addresses but using the specific sensor/protocol the ISE will be will be able to detect classify the endpoints based on their profiles

thanx in advance