Solved: Re: Assign vlan from a NAD(switch) property

Abdul Pallares · ‎03-01-2023

Hi guys,

In a big network, the customer has it segementated at L2 level, by using an access VLAN per switch.

In a way that:

floor 1 use VLAN 21
floor 2 use VLAN 22
...
floor 11 user VLAN 31

I would like to move the vlan assignment to ISE, and do it in as much simple and clean way as possible. The customer have a lot of offices all around the world.

My approach is to add a property to the NAD to tell ISE which vlan assign to the switch, a tag would be great but there is not a way to do it. So I'm trying to use the "Software Version" property of each NAD as the vlan for that NAD.

The objective is to have a single simple authz rule to return the vlan for any NAD:

if "authentication passed" return Get_VLAN_From_NAD

Where Get_VLAN_From_NAD is an authorization profile like that:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:DEVICE:Software Version
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6

So if DEVICE:Software Version:

is 21: Tunnel-Private-Group-ID = 1:21
is 22: Tunnel-Private-Group-ID = 1:22
.....
is 31: Tunnel-Private-Group-ID = 1:31

In that way a single simple rule can manage all vlan assinments.I was able to define an Authz profile in that way.

As you cas see ise allows us to set DEVICE:Software Version for the Tunnel-Private-Group-ID, but it does not works as expected and connection fails (at least by WiFi). If i put the vlan as a number in the same authz rule works like a charm, so the problem is getting the vlan from a DEVICE property.

I know that I can use several rules to do by NAD or by NAD group os something like that. But I would like to avoid that way, which made the policy set unnecesary long, at least one rule per VLAN, but it can double or triple if you use different authentication methods for example.

Is there any way to setup this by the use of properties or any kind of scripting? I'v done a quick review to the API reference but dosen't seems to be designed to be used from a policy set, but for IaC. Anyway I didn't found any useful method to as

Thanks

Tariq Mahmoud · ‎03-02-2023

I don't believe there is a way to achieve what you seek with ISE, you will need to set for example VLAN21 to any device located in 1st floor regardless of the site location. But I would suggest enabling radius, epm, and dot1x debugs on a switch, recreate the issue by pushing the same attributes to one device and then check the debugs to understand how NADs behave with such attribute.

I also believe that using Trustsec for segmentation would be much flexible for such use case and for large scales.

View solution in original post

Arne Bier · ‎03-02-2023

Another approach could be to return a constant VLAN Name, and then on the switch, assign the VLAN ID to the VLAN Name. In the example below, ISE returns the VLAN Name "DATA" to the switch. What the switch does with that information is, to translate that to the VLAN ID defined on the switch. So the switch admins have to configure the VLAN ID differently for the VLAN "DATA"

Switch Floor 1 - VLAN Name DATA - VLAN ID = 11

Switch Floor 2- VLAN Name DATA - VLAN ID = 12

Switch Floor 3- VLAN Name DATA - VLAN ID = 13

etc.

There is also the concept of the VLAN Group - something we use a lot on Wireless controllers. You take a bunch of VLANs and put them into an Interface Group. When a client connects, the WLC creates a hash - and say you have 10 VLANs in the group, then the hash would be a value of 1 - 10. Client gets dumped in that VLAN, does a DHCP. If DHCP does not succeed (i.e. no Offers received) then the DHCP scope is exhausted and the WLC will hash again. Same concept applies on the Catalyst switches.