03-31-2019 02:07 AM
Hi everyone,
Is it possible to add the switchport's access vlan as a criteria for 802.1x authorization?
For example, check certificate AND (supplicant is connected to access vlan 1020 OR access vlan 1025). Only then permit access.
Solved! Go to Solution.
03-31-2019 09:52 AM
Hi,
This is certainly possible using IBNS 2.0, you need to create an attribute list and include the vlan-id. E.g:-
access-session attributes filter-list list ATT_LIST
vlan-id
access-session authentication attributes filter-spec include list ATT_LIST
access-session accounting attributes filter-spec include list ATT_LIST
The ISE AuthZ rule would check for the condition "Radius:Tunnel-Private-Group -ID CONTAINS DATA" - where DATA is the name of the vlan
SWI-2#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24
10 VLAN0010 active
11 DATA active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Reference here
HTH
03-31-2019 02:41 AM
- The supplicant is not connected to a VLAN but runs on the end-host. You define in in the ISE-policy which VLAN the host will be put in.
M.
03-31-2019 02:53 AM
Hi,
Not quite what I'm asking. I'm not interested in assigning VLAN dynamically by policy, but rather receive the switchport's existing access VLAN as part of the access-request (or any other mechanism).
03-31-2019 09:52 AM
Hi,
This is certainly possible using IBNS 2.0, you need to create an attribute list and include the vlan-id. E.g:-
access-session attributes filter-list list ATT_LIST
vlan-id
access-session authentication attributes filter-spec include list ATT_LIST
access-session accounting attributes filter-spec include list ATT_LIST
The ISE AuthZ rule would check for the condition "Radius:Tunnel-Private-Group -ID CONTAINS DATA" - where DATA is the name of the vlan
SWI-2#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24
10 VLAN0010 active
11 DATA active Gi0/2, Gi0/3, Gi0/4, Gi0/5
Reference here
HTH
03-31-2019 10:07 AM
Thanks,
IBNS 2.0 requires fairly modern hardware (3850 and later, for example). Any idea for a solution based on the 3750 platform?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: