topic Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches in Network Security

Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

cooperrocks78 — Tue, 18 Jul 2023 15:28:28 GMT

We currently have Cisco 9300 switches and the devices connect via 802.1X authentication. How can I configure Cisco switches where users can connect their laptops and it will put them in the correct VLAN automatically with 802.1X authentication. I did some research online and the only option is VMPS but it is not compatible with Cisco 9300 switches. Is there any other options or is there a separate device we can purchase? Thank you.

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

SDhaliwal — Tue, 18 Jul 2023 15:50:27 GMT

You could use Cisco ISE authorization profile feature to dynamically assign vlans as host or user authenticate.

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

MHM Cisco World — Tue, 18 Jul 2023 15:57:55 GMT

do you have AAA server ?

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

cooperrocks78 — Tue, 18 Jul 2023 16:25:31 GMT

Yes, we have a RADIUS server for AAA.

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

MHM Cisco World — Tue, 18 Jul 2023 16:30:06 GMT

802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) - IEEE 802.1X VLAN Assignment [Support] - Cisco

easy check this guide

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

cooperrocks78 — Wed, 19 Jul 2023 17:37:19 GMT

What would be the difference in configuration on the Cisco side to allow users to connect on any port and it will put them in the correct VLAN? On the NPC side, I am assuming to add each VLAN to a separate network policy and point to an AD group. This is what my current 802.1x config looks like:

description ***USER/DATA 8021x***
switchport access vlan 10
switchport mode access
switchport voice vlan 60
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
spanning-tree portfast

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

MHM Cisco World — Wed, 19 Jul 2023 17:40:11 GMT

not all PC connect to port will get same VLAN, but each PC can get differ VLAN ?

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

cooperrocks78 — Wed, 19 Jul 2023 18:08:16 GMT

correct, how would we accomplish this with RADIUS on a NPS server? What would the config look like?

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

MHM Cisco World — Wed, 19 Jul 2023 18:17:14 GMT

Will check and update you max tomorrow

Re: Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

Jonatan Jonasson — Fri, 21 Jul 2023 22:41:38 GMT

The port configuration remains the same, but the global configuration needs to have the "aaa authorization network <...>" command included.

If the RADIUS server sends in the Access-Accept response the name or id of the vlan (as cisco-avpair attributes), the device will be put into the referenced vlan.
If the RADIUS server doesn't send this in the response packet, the device will be put into whatever is default configured on the port.

There's some decent information in Cisco's guides regarding this, for example this one, with the radius attributes required mentioned there as well.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-8021x-vlan-assign.html

I've seen a few blogs describing this for NPS as well, but I don't have any links at hand right now.

Now, depending on how big your environment is, and if you're starting to go into advanced 802.1x config like dynamic vlan assignment, I highly recommend looking into Cisco ISE as a part of the 802.1x deployment.
If nothing else, troubleshooting 802.1x authentications in ISE is a lot easier that doing so in NPS.