topic Re: ISE vlan merge in Network Access Control

ISE vlan merge

JianfengWang5009 — Thu, 02 Feb 2023 18:58:50 GMT

Our ISE server return VLAN names for various user vlans as based on user identity. Some of them doesn’t apply to certain area. On those switches, there is no corresponding vlan. We want a certain vlan host all users in such area. Say HR user log in to a switch in branch, the HR vlan doesn’t exist. I want switch put user in employees instead. How can I put a vlan with 2 name or merge 2 vlans?

Re: ISE vlan merge

ahollifield — Fri, 03 Feb 2023 13:59:17 GMT

Why change VLANs at all? What is the use-case? I don't think what you are describing is possible. If you must change VLANs, then I would put the NADs that do not have the HR VLAN into a separate NAD group and make policies accordingly so ISE doesn't push the HR VLAN to those switches.

Re: ISE vlan merge

Rodrigo Diaz — Fri, 03 Feb 2023 14:37:43 GMT

hi @JianfengWang5009 , ISE is not capable of creating/merge vlans within a switch , the ISE is capable only to assign vlans with base on your authentications.

Re: ISE vlan merge

Aref Alsouqi — Fri, 03 Feb 2023 14:56:49 GMT

I agree with @ahollifield , I don't believe what you are trying to achieve is possible. End of the day, ISE just returns attributes via RADIUS, it doesn't really dictate anything on the switches in this case. One thing you can potentially do which is quite common is to configure a parking VLAN on all the switches, and then on ISE you associate that parking VLAN to the default authorization rule. By doing so if the user/machine does not match any of the specific authorization rules, they will hit the default rule and will be placed into the parking VLAN.

Re: ISE vlan merge

hslai — Sun, 05 Feb 2023 03:09:27 GMT

@JianfengWang5009 I agree with all responded.

Perhaps, you may use VLAN groups but you need to configure them on the switches. For example, on a switch, configure the following:

vlan 10 name Employees vlan group HR vlan-list 10 vlan group Marketing vlan-list 10

Re: ISE vlan merge

JianfengWang5009 — Tue, 07 Feb 2023 14:49:15 GMT

I think this is not ISE issue but how switch handles ISE reply. The user is authenticated successful with a policy match. It is just for some location, this VLAN assignment is not proper. If we don't have the VLAN name, the switch ends up with failed authorize. So, We'd like to use a working VLAN to give it a second name.

Re: ISE vlan merge

hslai — Tue, 07 Feb 2023 20:16:44 GMT

@JianfengWang5009 As shown above, VLAN groups should help and most of Cisco catalyst switches will take the VLAN assignment from ISE and apply it as a VLAN group or a VLAN. Check out this blog -- 802.1x VLAN User Distribution (VLAN Group) -- the CCIE journey