Solved: Re: Cisco ISE dynamic vlan assignment

kalien3 · ‎12-20-2023

I have about 30 individual data vlans all with unique vlan IDs and names, the names all have the word data in them. 1 on each switch. I’m also running Cisco ISE. Is there a way that I can use the dynamic vlan assignment for each of these? Basically, can I create a single authorization policy for workstations and that policy dynamically assign the data vlan using some kind of variable that assigns it to the vlan with the work data in it? I don’t want to have to create 30 individual authorization policies and policy rules for each switch. I’m already doing this with an authorization policy for a different type of device but they are all on one vlan across all the switches so its easy.

Speed Test https://vidmate.bid/

Arne Bier · ‎12-20-2023

@kalien3 it depends on what your criterion is for assigning a specific VLAN in a particular Authorization Rule. If you are assigning VLANs based on the NAD Device Location, then you're possibly in for a hard slog.

I think the ideal case would be to normalise all the VLAN names on all of your switches, to enable ISE to send back the VLAN name to the switch, instead of messing around with VLAN IDs. This might be a bit of upfront work. Touch each switch and rename the VLAN in question to the common name - e.g. CORPDATA - you leave the VLAN ID as is, because this has no bearing on ISE. Once this has been done (and verified to exist on all your relevant access switches) you can reliably return the VLAN Name in your ISE Authorization Profiles.

By the way, this concept has been working very well for network deployments in multi-floor buildings, where each floor has its own VLAN ID for things like corporate data or voice VLANs. Using a common VLAN Name keeps the ISE logic clean and simple.

View solution in original post

Rob Ingram · ‎12-20-2023

@kalien3 you could use dynamic attributes lookup to determine which VLAN a specific workstation needs to go in, then reference that attribute in the single authorisation rule.

Example: https://integratingit.wordpress.com/2018/12/01/ise-dynamic-variables-from-ad/

https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

Arne Bier · ‎12-20-2023

@kalien3 it depends on what your criterion is for assigning a specific VLAN in a particular Authorization Rule. If you are assigning VLANs based on the NAD Device Location, then you're possibly in for a hard slog.

I think the ideal case would be to normalise all the VLAN names on all of your switches, to enable ISE to send back the VLAN name to the switch, instead of messing around with VLAN IDs. This might be a bit of upfront work. Touch each switch and rename the VLAN in question to the common name - e.g. CORPDATA - you leave the VLAN ID as is, because this has no bearing on ISE. Once this has been done (and verified to exist on all your relevant access switches) you can reliably return the VLAN Name in your ISE Authorization Profiles.

By the way, this concept has been working very well for network deployments in multi-floor buildings, where each floor has its own VLAN ID for things like corporate data or voice VLANs. Using a common VLAN Name keeps the ISE logic clean and simple.

iores · ‎03-10-2025

@Arne Bier Can dynamic VLAN assigment be used with mab devices (no 802.1x supplicant) but with static IP address?

Arne Bier · ‎03-10-2025

Yes it can. Since there is no DHCP cycle involved, you can set the access VLAN via RADIUS server attributes. Beware with multi-auth and multi-domain setups - dynamic VLAN assignment only concerns itself with the DATA domain, and not the VOICE domain - this means that if you have an interface with access vlan and voice vlan, you cannot dynamically set the voice vlan with RADIUS.

migkniatovits · ‎09-22-2025

Hello @Arne Bier ,

Hope you are doing well.

Is it possible to implement dynamic VLAN assignment based on AD groups, in a setup where EAP-TLS authentication is currently configured for machines only, and not for users?
Thank you in advace.

Arne Bier · ‎09-22-2025

You can definitely do that in your Authorisation Policy for onnprem AD. ISE will retrieve the AD object’s Group Membership. The Windows supplicant needs to be configured to perform machine auth only.

migkniatovits · ‎09-22-2025

@Arne Bier Thank you for your prompt reply. However, in my use case, I need to dynamically assign vlans based on the user's ad group, not the machine's.
So If I am not missing anything ( please correct me if I am wrong) , how will ISE be able to retrieve the appropriate information if only machine auth is performed and the user is not part of the authentication process ?

Arne Bier · ‎09-22-2025

Windows supplicant does not work like you described. Windows performs machine auth in two cases, and each case does not involve any users

1) PC boots to locked screen

2) User logout back to lock screen

if you want to do things that relate to the logged in user, then you need User auth. User auth is triggered when a user logs in.

Dynqmic VLAN assignment with user auth also involves an extra setting somewhere in the supplicant to allow Windows to be aware of the VLAN switch and to trigger a new DHCP cycle. Without that feature, switching the VLAN won’t have a happy ending.