Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1571
Views
40
Helpful
7
Replies

Best practice for this escenario

athan1234
Level 3
Level 3

‎01-17-2022 02:53 AM - edited ‎01-17-2022 08:06 AM

Hi

i dont know how to resove this .

Currently I have for default the vlan 20 in all of the headquarters, for it was configuted on ISE vlan 20 for default .

There is a center they have three diferents vlan 20, 40, 50 vlan 20 10.17.2.0 , vlan 40 10.18.2.0, vlan 50 10.19.2.0 . Some of them users  they have a fix ip in theirs computer but they have a DHCP RELAY in all of them vlanes .

All of them ports the port on the switch have a vlan 106 for non corporate the reason of this is if a external user he wants to conect either on a port on the switch these users have a non corporate conexión this make a best movility into the center ) .

So when a corporative user try to conect from his own for maybe vlan 40 or 50 , they always obtein the polycy 20 . and the don´t have conexion , Only have a conexion the users belong to the vlan 20 .
When I saw the policy on switch they have the vlan 20 policy

what do I need to make it work well ?
Dynamic vlan is impossible because The AD group all of them theses users in ( vla 20 , 40, 50 ) they are in the same AD group .

 

 

//////////////////////////////////////

Interface GigabitEthernet1/0/8
description DATOS + TOIP
switchport access vlan 106
switchport mode access
switchport voice vlan 65
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
auto qos trust

 

 

 

 

Preview file
15 KB
7 Replies 7

Marcelo Morais
VIP
VIP

‎01-17-2022 04:46 AM

Hi @athan1234 ,

 are you able to add a specific AD Group for each of theses Users to identify then?

 

Hope this helps !!!

0 Helpful

athan1234
Level 3
Level 3
In response to Marcelo Morais

‎01-17-2022 05:22 AM - edited ‎01-17-2022 09:26 AM

Hi @Marcelo Morais  it is not possible. another idea ?

athan1234
Level 3
Level 3

‎01-18-2022 12:02 AM

anyone ?

thomas
Cisco Employee
Cisco Employee

‎01-22-2022 01:20 PM

@athan1234

You need to create Authorization Profiles for each of the respective VLANs (20,40,50,106).

Then you need to create Authorization Rules in your ISE Policy that has Conditions that decide when to assign each Authorization Profile.

You have not stated a clear policy for when each Authorization Profile (and dynamic VLAN) should be assigned.

Usually this is done with some kind of user or device group but you could also do it by the network device group of the network device that they are connecting into if that is an option for you.

athan1234
Level 3
Level 3
In response to thomas

‎02-15-2022 01:11 AM

Hi .

 

I cant understand you , please could you put and example for example for vlan 20 and 40 ?

So thanks

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎01-24-2022 10:52 PM

Assuming the VLAN value stored in an attribute per user, we may use

Screen Shot 2022-01-24 at 10.51.52 PM.png

 

athan1234
Level 3
Level 3
In response to hslai

‎03-14-2022 09:37 AM

I can´t see that opcion in my ISE

0 Helpful
Customers Also Viewed These Support Documents