Solved: Cisco ISE dynamic vlan assignment

kalien3 · ‎12-20-2023

I have about 30 individual data vlans all with unique vlan IDs and names, the names all have the word data in them. 1 on each switch. I’m also running Cisco ISE. Is there a way that I can use the dynamic vlan assignment for each of these? Basically, can I create a single authorization policy for workstations and that policy dynamically assign the data vlan using some kind of variable that assigns it to the vlan with the work data in it? I don’t want to have to create 30 individual authorization policies and policy rules for each switch. I’m already doing this with an authorization policy for a different type of device but they are all on one vlan across all the switches so its easy.

Speed Test https://vidmate.bid/

Arne Bier · ‎12-20-2023

@kalien3 it depends on what your criterion is for assigning a specific VLAN in a particular Authorization Rule. If you are assigning VLANs based on the NAD Device Location, then you're possibly in for a hard slog.

I think the ideal case would be to normalise all the VLAN names on all of your switches, to enable ISE to send back the VLAN name to the switch, instead of messing around with VLAN IDs. This might be a bit of upfront work. Touch each switch and rename the VLAN in question to the common name - e.g. CORPDATA - you leave the VLAN ID as is, because this has no bearing on ISE. Once this has been done (and verified to exist on all your relevant access switches) you can reliably return the VLAN Name in your ISE Authorization Profiles.

By the way, this concept has been working very well for network deployments in multi-floor buildings, where each floor has its own VLAN ID for things like corporate data or voice VLANs. Using a common VLAN Name keeps the ISE logic clean and simple.

View solution in original post

Rob Ingram · ‎12-20-2023

@kalien3 you could use dynamic attributes lookup to determine which VLAN a specific workstation needs to go in, then reference that attribute in the single authorisation rule.

Example: https://integratingit.wordpress.com/2018/12/01/ise-dynamic-variables-from-ad/

https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

Arne Bier · ‎12-20-2023

@kalien3 it depends on what your criterion is for assigning a specific VLAN in a particular Authorization Rule. If you are assigning VLANs based on the NAD Device Location, then you're possibly in for a hard slog.

I think the ideal case would be to normalise all the VLAN names on all of your switches, to enable ISE to send back the VLAN name to the switch, instead of messing around with VLAN IDs. This might be a bit of upfront work. Touch each switch and rename the VLAN in question to the common name - e.g. CORPDATA - you leave the VLAN ID as is, because this has no bearing on ISE. Once this has been done (and verified to exist on all your relevant access switches) you can reliably return the VLAN Name in your ISE Authorization Profiles.

By the way, this concept has been working very well for network deployments in multi-floor buildings, where each floor has its own VLAN ID for things like corporate data or voice VLANs. Using a common VLAN Name keeps the ISE logic clean and simple.