cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

139
Views
0
Helpful
4
Replies
Highlighted
Rising star

ISE 2.4: 802.1x authz criteria by access vlan

Hi everyone,

 

Is it possible to add the switchport's access vlan as a criteria for 802.1x authorization?

For example, check certificate AND (supplicant is connected to access vlan 1020 OR access vlan 1025). Only then permit access.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ISE 2.4: 802.1x authz criteria by access vlan

Hi,
This is certainly possible using IBNS 2.0, you need to create an attribute list and include the vlan-id. E.g:-

 

access-session attributes filter-list list ATT_LIST
 vlan-id
access-session authentication attributes filter-spec include list ATT_LIST
access-session accounting attributes filter-spec include list ATT_LIST

 

The ISE AuthZ rule would check for the condition "Radius:Tunnel-Private-Group -ID CONTAINS DATA" - where DATA is the name of the vlan

 

SWI-2#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24
10 VLAN0010 active
11 DATA active Gi0/2, Gi0/3, Gi0/4, Gi0/5

 

Reference here

 

HTH

 

 

4 REPLIES 4
Rising star

Re: ISE 2.4: 802.1x authz criteria by access vlan

 

 - The supplicant is not connected to a VLAN but runs on the end-host. You define in in the ISE-policy which VLAN the host will be put in.

 M.

Rising star

Re: ISE 2.4: 802.1x authz criteria by access vlan

Hi,

 

Not quite what I'm asking. I'm not interested in assigning VLAN dynamically by policy, but rather receive the switchport's existing access VLAN as part of the access-request (or any other mechanism). 

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ISE 2.4: 802.1x authz criteria by access vlan

Hi,
This is certainly possible using IBNS 2.0, you need to create an attribute list and include the vlan-id. E.g:-

 

access-session attributes filter-list list ATT_LIST
 vlan-id
access-session authentication attributes filter-spec include list ATT_LIST
access-session accounting attributes filter-spec include list ATT_LIST

 

The ISE AuthZ rule would check for the condition "Radius:Tunnel-Private-Group -ID CONTAINS DATA" - where DATA is the name of the vlan

 

SWI-2#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24
10 VLAN0010 active
11 DATA active Gi0/2, Gi0/3, Gi0/4, Gi0/5

 

Reference here

 

HTH

 

 

Rising star

Re: ISE 2.4: 802.1x authz criteria by access vlan

Thanks,


IBNS 2.0 requires fairly modern hardware (3850 and later, for example). Any idea for a solution based on the 3750 platform?