Thanks for the post and I've made a tweak to our ISE authorization profile based on the link you've sent - when I can get back to site I will retest. 

My thinking is that I shouldn't need to assign the ports manually under Host Onboarding/Port Assignment (as I would need to define which ports are VN-A and which are VN-B - not what we want). Also I shouldn't need to set the VLAN in the ISE authorization profile manually either as the SGT names should match DNA/ISE and the switch and that should be enough to assign the port to the correct VLAN?

Hi Mike,

I understand your explanations and this works fine.but in this case, we will need to create an Authorization Policy per fabric and each time we add a new fabric, we will need to add a new authorization policy on ISE right?

So how can we simplify things ?

Is it possible with a Radius parameter to just send the name of the VN to the switch and then the switch will apply the proper vlan based on is VN?

Exemple :

On my lab i have 3 VNs : Corporate_VN, IoT_VN and Guest_VN

These 3 VNs are present in 3 different Fabrics with 3 different Pools per VN.

All my ports are in Guest_VN by default and i want to affect the good VN after authentication.

I just want 1 Authorization Policy "if corporate users then push Corporate_VN".

If i need to specify the Vlan Name (based on IP pool) then i will need have one Authorization Policy per Fabric.

So how can we do it with only one line, with only VN name information?

Thank you very much for your help.

---

@LudovicDS wrote:

I understand your explanations and this works fine.but in this case, we will need to create an Authorization Policy per fabric and each time we add a new fabric, we will need to add a new authorization policy on ISE right?

So how can we simplify things ?

Hi, this is subtle but important Q. When you add an IP pool to a VN you have an opportunity to name the access VLAN. For ISE AuthZ policy simplicity and scalability please consider giving VLAN same name at each fabric site:

Fabric site 1 - VN1 - IP pool 10.10.1.1/24 - VLAN name = CORP

Fabric site 2 - VN1 - IP pool 10.10.2.1/24 - VLAN name = CORP

Fabric site 3 - VN1 - IP pool 10.10.3.1/24 - VLAN name = CORP

This way same ISE authorization policy applies to all sites.

NB we are considering removing the auto-generated VLAN names (e.g. 192_168_0_0-VN_TEST) for same reason.

Jerome

NB we are considering removing the auto-generated VLAN names (e.g. 192_168_0_0-VN_TEST) for same reason.

-Thanks for sharing. Great to know.  What is the roadmap for this?  

Hi Mike. To be clear: It's largely a cosmetic change. We can already override auto-generated VLAN name when we add IP pool to L3VN, that has been possible for 12 months or more. I wont commit to roadmap on a public forum, I hope you'll forgive that. But, if I was to speculate, it shouldn't take too long to implement. Jerome

Ok, so simple :-)!

Really happy to read that.

Thanks Jedolphi, i have now my full answer.

Regards

I Mike Thanks for your answer.

I know how to do it with several lines but i really not understand why we need to specify the network.

Example :

I have 3 Fabric with 3 Pools and with 5 tags into my Corporate_VN.

But i only have one Corporate Pool in my Fabric.

That means that i will need 15 lines instead of 5. And also that i will need to identify the source Fabric of the Radius request.

Knowing that DNA don't Sync NAD types and locations into ISE!

So my Authorization rules will look like :

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe1  then the result will be 10_10_10_0-VN1 Tag1"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe2  then the result will be 10_10_10_0-VN1 Tag2"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe3  then the result will be 10_10_10_0-VN1 Tag3"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe4  then the result will be 10_10_10_0-VN1 Tag4"

"If my NAD source is in Fabric 1 and my user is a corporate user in Groupe5  then the result will be 10_10_10_0-VN1 Tag5"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe1  then the result will be 10_10_11_0-VN2 Tag1"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe2  then the result will be 10_10_11_0-VN2 Tag2"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe3  then the result will be 10_10_11_0-VN2 Tag3"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe4  then the result will be 10_10_11_0-VN2 Tag4"

"If my NAD source is in Fabric 2 and my user is a corporate user in Groupe5  then the result will be 10_10_11_0-VN2 Tag5"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe1  then the result will be 10_10_12_0-VN3 Tag1"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe2  then the result will be 10_10_12_0-VN3 Tag2"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe3  then the result will be 10_10_12_0-VN3 Tag3"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe4  then the result will be 10_10_12_0-VN3 Tag4"

"If my NAD source is in Fabric 3 and my user is a corporate user in Groupe5  then the result will be 10_10_12_0-VN3 Tag5"

This is the same use case as if the customer do not have the same Data Vlan on all Sites (With Legacy Infra)

Moreover that also means that we can only create ISE rules when the Fabric is deployed since we cannot managed the name or the vlan ID.

Why the Radius Parameter : cisco-av-pair = cts:vn=Corporate_VN is not enough to give the switch the VN name information?

Thanks for your Help Mike :-).

I though that the switch could find this vlan information through cisco-av-pair = cts:vn=Corporate_VN radius parameter.

Is it just for description?

Thanks.

This AV pair is NOT used in any way whatsoever for assigning endpoints to access VLANs. FYI, in case it was missed, I replied above on how to have a single ISE wired AuthZ policy for multiple fabric sites. Cheers, Jerome