Solved: Authorization Profiles Results Common tasks use in ISE

Naive · ‎05-21-2023

Hello Everyone,

I need to understand what is use of VLAN (Tag ID) ID/Name defined under a Authorization profile.(Under common tasks)

In a deployment when i go to Policy>>>>Results>>>Authorization>>>Authorization profile >>>>check a profile>>>>Under common tasks found vlan(ticked) Tag id 1 and then ID/name ABC

As far my understanding under common tasks we are defining things which we need to push to the endpoint once it is authorized in this profile. but I am not getting why tag id 1 is defined, does that means they are pushing VLan 1 to the endpoint, if yes what is the use case for the same.

Arne Bier · ‎05-21-2023

The "Tag" in the Authorization Profile has to do with RFC 2868 - not to be confused with the VLAN ID, or with Cisco's SGT 'Tags'.

If the Tag is set between 1 to 31, it indicates a 'tunnel' to which the RADIUS attribute belongs. It's a concept that we don't use in Enterprise LANs. We always set the Tag to 1.

The VLANID/Name is the VLAN that we want to assign on the switch/WLC - it must be a valid ID or Name that is recognized by the switch/WLC.

E.g. If in ISE, you set the Tag to 31 (range allowed is 0-31) and VLANID to '123' then you will return the following RADIUS Attributes to the NAD:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 31:123
Tunnel-Type = 31:13
Tunnel-Medium-Type = 31:6

You can look up the meaning of each attribute in RFC 2868

Tunnel-Private-Group-ID (this is the one that tells the NAD which VLANID you want)

View solution in original post

M02@rt37 · ‎05-21-2023

@Naive,

The VLAN Tag ID or Name defined under an Authorization profile is used to specify the VLAN to which the endpoint device should be assigned after successful authentication and authorization.

In the example you described, if the Authorization profile has VLAN Tag ID 1 defined under the common tasks, it means that the endpoint device will be assigned to VLAN 1* after successful authorization.

Common use cases include segregating different types of devices or user groups onto separate VLANs for security or performance reasons. For example, you might have VLANs dedicated to specific departments, guest networks, voice traffic, or IoT devices.

*Note that VLAN 1 is often reserved for administrative purposes and is not recommended for regular network traffic. Using VLAN 1 for end-user traffic is generally considered a security risk, so it's typically advised to avoid assigning endpoints to VLAN 1.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Arne Bier · ‎05-21-2023

The "Tag" in the Authorization Profile has to do with RFC 2868 - not to be confused with the VLAN ID, or with Cisco's SGT 'Tags'.

If the Tag is set between 1 to 31, it indicates a 'tunnel' to which the RADIUS attribute belongs. It's a concept that we don't use in Enterprise LANs. We always set the Tag to 1.

The VLANID/Name is the VLAN that we want to assign on the switch/WLC - it must be a valid ID or Name that is recognized by the switch/WLC.

E.g. If in ISE, you set the Tag to 31 (range allowed is 0-31) and VLANID to '123' then you will return the following RADIUS Attributes to the NAD:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 31:123
Tunnel-Type = 31:13
Tunnel-Medium-Type = 31:6

You can look up the meaning of each attribute in RFC 2868

Tunnel-Private-Group-ID (this is the one that tells the NAD which VLANID you want)

Naive · ‎05-22-2023

Thanks @Arne Bier , I tried to read RFC 2868, but things become more complex when I am going deeply,

Just to understand do you have any examples of use case where we are using tag other than 1( you already mentioned Tag 1 we are using an enterprise LAN environment)

Arne Bier · ‎05-23-2023

RFCs are not fun reading, even at the best of times. But my understanding is that this is a Service Provider feature, used in cases where a subscriber makes a request to a headend device (NAS) and then the RADIUS server can return multiple tunnels - e.g. a customer might have a Primary L2TP and a Backup L2TP tunnel. Each tunnel can have different attributes, and since the final Access-Accept packet contains all the attributes for both tunnels, the Tag ID is used to distinguish which attribute is used for each tunnel.

I have made an ISE Authorization Profile below to show this in practice (the reality is that you cannot put two VLANs on a single Cisco switch interface ... but I think you get the point) - ISE returns all the attributes to the NAS - but in this case the Cisco switch only accepts values with TagID 1, and ignores the rest.

The RFC says that the Tag ID can be set to be 0 if not used. But the reality is that some vendors might expect a non-zero value there.

In my lab, the Cisco switch was happy with a Tag0 value.

Long story short ... Tag has no meaning in the Enterprise. RADIUS has its origins in the Service Provider world, and there are many things that we have in the RADIUS protocol that just don't apply to us in the Enterprise.