Solved: Re: 802.1X: How to configure 6800 Instant Access Client specific VLAN assignments....

saulfig@cisco.com · ‎04-06-2016

Hi all,

I'm looking for a way to configure 802.1X on Catalyst 6800 Instant Access “switches” while using 6800ia "access switch" specific VLAN assignment.

Background:

6800ia "access switches" behave like a virtual linecard being managed/configured by their Catalyst 6500 parent switch, thus there is no way for our ISE to differentiate 6800ia “access switches" by the RADIUS source IP (all 6800ia "access switches" will share the very same source IP).

What would be the best / least painful way to configure ISE (or Catalyst 6500) to support 6800ia specific VLAN assignments? Meaning… User A should get VLAN 2 on 6800ia-1, VLAN 3 on 6800ia-2, VLAN 4 on 6800ia-3 and so forth. Any ideas or best practices you can share with me?

Thanks and regards

Sascha Ulfig

Consulting Systems Engineer

.:|:.:|:. Cisco Systems

Tel: +49 40 3767 4408

howon · ‎04-06-2016

Sascha, not sure why such VLAN policy is required and interested in understanding what the underlying issues are you are trying to solve as there may be other ways to address the issues. But to answer your question directly, you can try RADIUS:NAS-Port (Attribute #5) or RADIUS:NAS-Port-ID (Attribute #87) attribute that gets sent from the switch to ISE during authentication. I don't have a 6800ia, but on on my 3560C, the NAS-Port shows up as '50101' and NAS-Port-ID shows up as 'GigabitEthernet0/1' so you can try both attributes and see which one works better. Once you confirm that these values are being sent you can create Authorization condition for each of the virtual line cards and map the rules to individual Authorization profile for each of the VLANs. You can also run following commands to influence the format of these attributes if the default values doesn't work for your use:

radius-server attribute nas-port format xxx

radius-server attribute nas-port-id xxx

In the past, the ifindex number that NAS-Port attribute is based on used to get updated to different values during switch reload so you may also want to run 'snmp ifmib ifindex persist' to make sure the values are persistent across switch reload.

Hosuk

View solution in original post

howon · ‎04-06-2016

Sascha, not sure why such VLAN policy is required and interested in understanding what the underlying issues are you are trying to solve as there may be other ways to address the issues. But to answer your question directly, you can try RADIUS:NAS-Port (Attribute #5) or RADIUS:NAS-Port-ID (Attribute #87) attribute that gets sent from the switch to ISE during authentication. I don't have a 6800ia, but on on my 3560C, the NAS-Port shows up as '50101' and NAS-Port-ID shows up as 'GigabitEthernet0/1' so you can try both attributes and see which one works better. Once you confirm that these values are being sent you can create Authorization condition for each of the virtual line cards and map the rules to individual Authorization profile for each of the VLANs. You can also run following commands to influence the format of these attributes if the default values doesn't work for your use:

radius-server attribute nas-port format xxx

radius-server attribute nas-port-id xxx

In the past, the ifindex number that NAS-Port attribute is based on used to get updated to different values during switch reload so you may also want to run 'snmp ifmib ifindex persist' to make sure the values are persistent across switch reload.

Hosuk