ā01-17-2022 02:53 AM - edited ā01-17-2022 08:06 AM
Hi
i dont know how to resove this .
Currently I have for default the vlan 20 in all of the headquarters, for it was configuted on ISE vlan 20 for default .
There is a center they have three diferents vlan 20, 40, 50 vlan 20 10.17.2.0 , vlan 40 10.18.2.0, vlan 50 10.19.2.0 . Some of them users they have a fix ip in theirs computer but they have a DHCP RELAY in all of them vlanes .
All of them ports the port on the switch have a vlan 106 for non corporate the reason of this is if a external user he wants to conect either on a port on the switch these users have a non corporate conexiĆ³n this make a best movility into the center ) .
So when a corporative user try to conect from his own for maybe vlan 40 or 50 , they always obtein the polycy 20 . and the donĀ“t have conexion , Only have a conexion the users belong to the vlan 20 .
When I saw the policy on switch they have the vlan 20 policy
what do I need to make it work well ?
Dynamic vlan is impossible because The AD group all of them theses users in ( vla 20 , 40, 50 ) they are in the same AD group .
//////////////////////////////////////
Interface GigabitEthernet1/0/8
description DATOS + TOIP
switchport access vlan 106
switchport mode access
switchport voice vlan 65
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
auto qos trust
ā01-17-2022 04:46 AM
Hi @athan1234 ,
are you able to add a specific AD Group for each of theses Users to identify then?
Hope this helps !!!
ā01-17-2022 05:22 AM - edited ā01-17-2022 09:26 AM
Hi @Marcelo Morais it is not possible. another idea ?
ā01-18-2022 12:02 AM
anyone ?
ā01-22-2022 01:20 PM
You need to create Authorization Profiles for each of the respective VLANs (20,40,50,106).
Then you need to create Authorization Rules in your ISE Policy that has Conditions that decide when to assign each Authorization Profile.
You have not stated a clear policy for when each Authorization Profile (and dynamic VLAN) should be assigned.
Usually this is done with some kind of user or device group but you could also do it by the network device group of the network device that they are connecting into if that is an option for you.
ā02-15-2022 01:11 AM
Hi .
I cant understand you , please could you put and example for example for vlan 20 and 40 ?
So thanks
ā01-24-2022 10:52 PM
Assuming the VLAN value stored in an attribute per user, we may use
ā03-14-2022 09:37 AM
I canĀ“t see that opcion in my ISE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide