cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2225
Views
0
Helpful
8
Replies

User to virtual network association

NAGISWAREN2
Level 1
Level 1

Hi,

 

How does authenticated user to virtual network association work ? Does that depends on the user connected switch port VLAN ID > BD >VNI / VRF association , regardless of authentication information ? 

 

Say a user from a Business Unit A get authenticated , and we want them to get associated to Virtual Network A . how we do that ? 

 

Regards, Nagis
1 Accepted Solution

Accepted Solutions

If you rely on ISE to push policy down to interfaces that lets say are configured for 8021x Closed Auth, ISE will push the string that is configured in the matching policy authz profile that contains the unique string extracted from DNAC and configured in the authz profile. It will get pushed in the radius packet as a radius attribute that the switch will use as the identifier. The attribute looks like this in detailed ISE logs: Tunnel-Private-Group-ID (tag=1) 192_168_0_0-VN1. This identifier attribute allows the switch to map either the name or vlan id to the proper vlan. Once this happens your Anycast gateway comes up/up. Note that DNAC will automatically name the vlans which is why that string must match in ISE authz profiles. Run a show vlan on an EN and you will see what I am talking about. I hope this answers your question and is helpful.

View solution in original post

8 Replies 8

Benjamin-A
Level 1
Level 1

Hi NAGISWAREN2,

please see following Guides:

It is through a assignment in the Authorization Profile. Either you will provide VN+SGT in the Authorization Profile or an VLAN assignment.


.:|:..:|:.Please rate helpful posts.:|:..:|:.

Hi Benjamin.

Thanks. I understand how it works if assign VLAN in authorization policy. 

But in the link you provided, instead of assigning VLAN, it assigning VLAN tag or security tag. How does this get translated to actual VLAN ?

Regards, Nagis

Hi Nagis, 

 

I think it is easier to understand while using breakout session 3811: 


.:|:..:|:.Please rate helpful posts.:|:..:|:.

Hi Benjamin,

 

Thanks. but again , in the video it mentioning about assigning user to VN by assigning SGT and/or VN name. But my question is,  does this SGT/VN information get translated into VLAN(by ISE/DNAC) when the ISE deliver authorization result to access device(the authenticating edge node) ? or it deliver the actual SGT/VN info to access device , and the access device will figure it out how to translate into VLAN and assign that VLAN into the user facing port ?

Regards, Nagis

Mike.Cifelli
VIP Alumni
VIP Alumni

Based on this question: But my question is,  does this SGT/VN information get translated into VLAN(by ISE/DNAC) when the ISE deliver authorization result to access device(the authenticating edge node) ? or it deliver the actual SGT/VN info to access device , and the access device will figure it out how to translate into VLAN and assign that VLAN into the user facing port ?

 

Essentially you will rely on ISE to push down the respective CTS and authz config authorizing clients to their network.  Upon client/user authc/authz in ISE you will create an authz profile that gets assigned to your authz policy that has conditions that will be used to identify how you wish to assign certain assets/users to your different IP pools/SGTs within a certain VN.  Under the authz profile you will assign a unique identifier that is a string you can locate after you assign an IP pool under host onboarding in DNAC that can be found here: Provision->Fabric->Host Onboarding.  Under virtual networks when you assign an IP pool you will see a authentication policy string that looks like this: 192_168_0_0-VN1.  Copy that string, and place it in the vlan box for authz profile in ISE.  If this is wrong you will have issues with proper assignment & onboarding.  Within ISE under the same authz policy you will assign the SGT as well.  HTH!

I understand how you put user into particular VN by assigning authentication policy string in ISE. My question what radius parameter the ISE deliver to edge device ? Is it sent this String ”192_168_0_0-VN1 “ or instead send VLAN ID that been associated with the IP address Pool?

If it send the string in radius packet, how does the switch knows which VLAN to associate the user interface ?
Regards, Nagis

If you rely on ISE to push policy down to interfaces that lets say are configured for 8021x Closed Auth, ISE will push the string that is configured in the matching policy authz profile that contains the unique string extracted from DNAC and configured in the authz profile. It will get pushed in the radius packet as a radius attribute that the switch will use as the identifier. The attribute looks like this in detailed ISE logs: Tunnel-Private-Group-ID (tag=1) 192_168_0_0-VN1. This identifier attribute allows the switch to map either the name or vlan id to the proper vlan. Once this happens your Anycast gateway comes up/up. Note that DNAC will automatically name the vlans which is why that string must match in ISE authz profiles. Run a show vlan on an EN and you will see what I am talking about. I hope this answers your question and is helpful.

Hi Mike,

 

Thanks. That exactly what i was looking for. 

Regards, Nagis

Review Cisco Networking for a $25 gift card