topic Radius Proxy - Restricting Dynamic VLAN Assignment in Network Access Control

Radius Proxy - Restricting Dynamic VLAN Assignment

KatherineTran — Wed, 16 Nov 2022 17:28:02 GMT

Hi All,

When relying on an external proxy server for the return VLAN (as they have the identity information for the authorisation policy) is there any way we can define on ISE what VLANs they are actually allowed to return?

I think this could be a security issue if we are trusting external proxy servers to return dynamic VLAN information. Any idea?

Kind Regards

Re: Radius Proxy - Restricting Dynamic VLAN Assignment

Greg Gibbs — Wed, 16 Nov 2022 21:00:09 GMT

The only option I can think of that might work would be to enable the "On Access-Accept, continue to Authorization Policy" option in your RADIUS Server Sequence > Advanced Attribute Settings to let ISE perform Authorization.
You would then create AuthZ Policies with a matching condition like 'Radius·Tunnel-Private-Group-ID EQUALS <id/name>' with a resulting AuthZ Profile that sends the same VLAN in the response. If none of the defined AuthZ Policies in ISE are matched, it will respond with an Access-Reject.

I don't know if this will work, so you would need to test it in your environment.

Re: Radius Proxy - Restricting Dynamic VLAN Assignment

KatherineTran — Thu, 17 Nov 2022 16:43:16 GMT

Thanks for the response. Unfortunately, we need the authorisation policy to be returned by the external RADIUS server as it has the identity information. From my googling - I don't think it's possible on ISE!

Re: Radius Proxy - Restricting Dynamic VLAN Assignment

hslai — Sun, 20 Nov 2022 01:17:30 GMT

@KatherineTran, You are correct. VLAN is a tagged attribute and that is not being handled by what Greg described.