cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

211
Views
0
Helpful
3
Replies
Highlighted
Contributor

Guest redirection using a non Cisco Switch

Hi Experts,

We are using a third party NADs (Juniper 4200EX) in our environment and want to work with wired guest redirection on these NADs.

Using the third party NAD profile provided by the community, I am able to get the following use cases working:

  1. dot1x
  2. posture
  3. VLAN change and assignment
  4. dACL assignment

I see that its not supported with the Juniper switch NAD profile and asking for to configure authentication VLAN for the same.

There are some queries with the this configuration:

  • Only one NAD profile could be used per NAD, then is there a way to keep the dot1x and guest redirection separate?
  • Would I need to make this change for the other NADs as well, which are working fine on a third party AND profiles from here?
Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Guest redirection using a non Cisco Switch

May i know what you meant when you said "I see that its not supported with the Juniper switch NAD profile and asking for to configure authentication VLAN for the same." ?

It looks like Juniper does support redirect-URLs and you can combine with firewall filter to restrict access just like Cisco switches use redirect url, redirect ACLs/dACLs.

Apparently you can use the JNPR_RSVD_FILTER_CWA filter, sent using the standard RADIUS Filter-ID attribute to limit the access and use Juniper-CWA-Redirect-URL VSA and set the value as the redirect URL.

More info here:
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/nce160-aruba-guest-access-technical-overview.html

I personally have never tried this and this is me just trying to help.
Contributor

Re: Guest redirection using a non Cisco Switch

It turns out that Juniper does not support CWA on 4200EX series of switches.

The tested switch from Cisco is 3200 series.

The list is provided below in the document from Juniper: here

Everyone's tags (3)
3 REPLIES 3
Cisco Employee

Re: Guest redirection using a non Cisco Switch

May i know what you meant when you said "I see that its not supported with the Juniper switch NAD profile and asking for to configure authentication VLAN for the same." ?

It looks like Juniper does support redirect-URLs and you can combine with firewall filter to restrict access just like Cisco switches use redirect url, redirect ACLs/dACLs.

Apparently you can use the JNPR_RSVD_FILTER_CWA filter, sent using the standard RADIUS Filter-ID attribute to limit the access and use Juniper-CWA-Redirect-URL VSA and set the value as the redirect URL.

More info here:
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/nce160-aruba-guest-access-technical-overview.html

I personally have never tried this and this is me just trying to help.
Cisco Employee

Re: Guest redirection using a non Cisco Switch

I would recommend working through the TAC as well. I am not sure of the issue exactly and need more detail. If the Juniper doesn’t support redirection you can look at the authentication VLAN feature.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html#concept_CDD87F6FE3A54351B27FF35316A23DA3

The 3300 was tested to work, other comparable platforms should then work.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/compatibility/b_ise_sdt_24.html#thirdpartyaccessswitches

when I google ise juniper guest found a lot of information, one that stood out is this one
https://community.cisco.com/t5/identity-services-engine-ise/integrating-a-juniper-switch-with-ise-2-3/td-p/3685582
Contributor

Re: Guest redirection using a non Cisco Switch

It turns out that Juniper does not support CWA on 4200EX series of switches.

The tested switch from Cisco is 3200 series.

The list is provided below in the document from Juniper: here

Everyone's tags (3)