https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3817927#M484359 <P>Hi</P><P>&nbsp;</P><P>I'm working on a Windows radius server.</P><P>The radius authenticate by computers name and MAC address so they get specific VLAN.</P><P>Let's take an example:</P><P>I authenticate by computer name so i get VLAN 2.</P><P>If i need to go to a distant site it will still get VLAN 2 but i want the computer to get the VLAN from the distant site.</P><P>&nbsp;</P><P>Is it possible ?</P><P>If yes then which policy do i need to configure ?</P><P>&nbsp;</P><P>Thank you for your attention.</P> Tue, 12 Mar 2019 09:50:09 GMT Teayuu 2019-03-12T09:50:09Z https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3817927#M484359 <P>Hi</P><P>&nbsp;</P><P>I'm working on a Windows radius server.</P><P>The radius authenticate by computers name and MAC address so they get specific VLAN.</P><P>Let's take an example:</P><P>I authenticate by computer name so i get VLAN 2.</P><P>If i need to go to a distant site it will still get VLAN 2 but i want the computer to get the VLAN from the distant site.</P><P>&nbsp;</P><P>Is it possible ?</P><P>If yes then which policy do i need to configure ?</P><P>&nbsp;</P><P>Thank you for your attention.</P> Tue, 12 Mar 2019 09:50:09 GMT https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3817927#M484359 Teayuu 2019-03-12T09:50:09Z https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3818990#M484360 <P>You can either create rules based on network device or location names:</P> <OL> <LI>If Location A then VLAN X.</LI> <LI>If Location B then VLAN Y.</LI> </OL> <P>That doesn't scale well.&nbsp; The better solution is to use a consistent VLAN naming scheme and pass the VLAN name not the VLAN #.</P> <P>&nbsp;</P> <OL> <LI>Location A has VLAN 2 name "Data".</LI> <LI>Location B has VLAN 20 named "Data".</LI> <LI>ISE results assigns VLAN "Data".</LI> </OL> <P>This allows the user to fall onto the correct VLAN not matter the location.</P> Wed, 13 Mar 2019 17:32:23 GMT https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3818990#M484360 paul 2019-03-13T17:32:23Z https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3821115#M484361 <P>Hello, thank you for your anwser.</P><P>&nbsp;</P><P>So i did a new network policy, using the name of the client (in my situation it's a switch) then it work.</P><P>&nbsp;</P><P>example: if the request is from switch A and it's a computer in the AD group then assign VLAN A</P><P>if the request is from switch B and it's a computer in the AD group then assign VLAN B.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 18 Mar 2019 07:53:25 GMT https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3821115#M484361 Teayuu 2019-03-18T07:53:25Z https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3821545#M484362 <P>That solution works, but doesn't scale well if you have many sites.&nbsp; You are better using a standardize VLAN naming scheme and passing the VLAN name instead of the #.&nbsp; Glad you got a solution that works.</P> Mon, 18 Mar 2019 20:15:01 GMT https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3821545#M484362 paul 2019-03-18T20:15:01Z https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3821836#M484363 Mon, 25 Mar 2019 09:26:41 GMT https://community.cisco.com/t5/network-access-control/radius-distant-site/m-p/3821836#M484363 Teayuu 2019-03-25T09:26:41Z