cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!

Register for the monthly Cisco DNA Center Ask the Expert Sessions to learn about Cisco DNA Center configuration and deployment.
367
Views
5
Helpful
4
Replies
Highlighted
Beginner

SDA Fabric and VLAN Auto-Assignment

Hi all, we're in the process of getting our SDA fabric deployment up and running using a fabric-in-a-box 9300 with multiple VN's and ISE policy management but hit an issue where I can't seem to find any online guidance.

Basically we have 2 VN's pushed to a fabric with a very simple ISE policy whereby if endpoint has 802.1x cert 'A' then get put into VN 'A' and vice versa for B (to simulate 2 different VRF's etc). However even though the ISE auth returns the correct result and the right SGT's are assigned to the auth request (which mirror those in the show cts environment-data command) the end port always stays in the critical VLAN (2047) and doesn't allocate the port to the correct VLAN (1031 etc).

We can get everything working by getting ISE to assign a VLAN but that won't scale. 

Am I missing something? In the host-onboarding stage we've not assigned any ports to VN's manually - we'd like all of the ports to be blank and let ISE dictate what VLAN/VRF to assign ports to.

Has anyone experienced this or have we missed a step out somewhere?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hi Newbee,

may you have a look at this community post: https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

At the picture under "Your Authorization Profile should look like this."

The subnet IP Address Pool Name should also match with the Authentication Policy as you can see in Point 3 'Navigate to Provision > Fabric and choose the Fabric you created , Then choose "Host Onboarding"'

In other Words: IP Address Pool Name (in Authorization Profile) = Authentication Policy (DNA-C) = VLAN Name (Switch)


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi, 

 

The approach you use is correct - there is no need to do any port-specific configuration in DNAC on host-onboarding (assuming you select proper template). Please provide the output of: 

 

show auth session interface <...> details

 

for further investigation.

 

Regards,

Mariusz

Highlighted
Beginner

Hi Newbee,

may you have a look at this community post: https://community.cisco.com/t5/networking-documents/how-to-sda-host-onboarding-with-ise/ta-p/4012430

At the picture under "Your Authorization Profile should look like this."

The subnet IP Address Pool Name should also match with the Authentication Policy as you can see in Point 3 'Navigate to Provision > Fabric and choose the Fabric you created , Then choose "Host Onboarding"'

In other Words: IP Address Pool Name (in Authorization Profile) = Authentication Policy (DNA-C) = VLAN Name (Switch)


.:|:..:|:.Please rate helpful posts.:|:..:|:.

View solution in original post

Highlighted

Thanks for the post and I've made a tweak to our ISE authorization profile based on the link you've sent - when I can get back to site I will retest. 

 

My thinking is that I shouldn't need to assign the ports manually under Host Onboarding/Port Assignment (as I would need to define which ports are VN-A and which are VN-B - not what we want). Also I shouldn't need to set the VLAN in the ISE authorization profile manually either as the SGT names should match DNA/ISE and the switch and that should be enough to assign the port to the correct VLAN?

Highlighted
VIP Engager

In DNAC under host onboarding you should configure the ports for type of device (user device) and closed authentication. Then for the separate ISE authz profiles ensure that you have taken the unique auth onboarding string from DNAC (looks like this: 192_168_0_0-VN_TEST) and assign that as the "vlan" in your ISE authz profile. That specific radius attribute will be used by the switch which will ensure the host gets access to the proper vlan and your anycast gateway comes up. If you run a '#show vlan' on an edge node you will see that the vlan names are identical to this onboarding string you will use in ISE. Good luck & HTH!
Content for Community-Ad