I'm talking about base and advnaced at the same time. I'm talking about endpoint, not what is the function? the end points connected behind a hub may have posture policy.

Thanks.

Ahmad.

Thanks Tarik, with this setup and the command "authentication host-mode multi-auth", all the devices behind the IP Phone will be authenticated, and also the IP phone also must be counted on the license number, even we authenticate it using dot1x or we use MAB for it.

Also I can use the MAB for the devices connected to the same hub if I have printer, scanners or any device that does not support dot1x, right ?

Thanks.

Ahmad.

Thanks again Tarek, yes it is logical that all the devices behind will be authenticated and authorized to the same VLAN since we are dealing with access-port here from the switch point of view.

I have a question out of the context, can I have a rule to check the subnet of the user and the AD group at the same time, I mean if the user subnet is 10.0.0.0/24 and belongs to AD group "IT" then the authorization will be VLAN25, if he belongs to different subnet (10.0.1.0/24) but the same AD group then the authorization will be VLAN50.

I have read but not sure if I can use Radius IP framed and Framed subnet will help or not?

Thanks.

Ahmad.

This may not be possible due to the fact that dot1x authentication sends the client's mac address in the calling station id attribute. When using web authentication, or vpn authentication would expect this value to be the client's ip address.

The framed ip address is an accounting attribute (based on my knowledge) and usually takes place after authentication. However I know that the tunnel-private-group-id (user or port vlan) is sent in the access-request. Would that help in your scenario?

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t11/feature/guide/radattr8.html#wp1023050

Thanks,

Tarik Admani
*Please rate helpful posts*

I think the same, it is not possible.

Since I need to check if the user belongs to some AD group, and I need to check at the same time that the user IP is from specific subnet, then I need to authorize the access to specific VLAN.

If the idea of Attribute 8 can work on this scenario, then I need to create an authorization profile for each user on the AD group, and this also is not scalable solution for the ISE, and I think this will not work in DHCP environment.

About the "tunnel-private-group-id", according to the RFC2868, it will be sent on the Access-Request, can I sent the original VLAN of the port before the dot1x authentication with this attribute?

Thanks.

Ahmad.

Yes the switch sends this in the initial access-request to see which vlan the client is trying to connect to. Keep in mind with ISE you can assign user vlans so in your scenario you can set the default vlan to a dummy vlan (or even guest). From there you can assign the vlan using the radius attributes and also use other scenarios: ie. Network device location (for example Dallas), and AD group (for example IT). Then hand back the result of VLAN 100.

The dot1x authentication is tunneled through the radius packet as an AV Pair, you have dot1x which is the L2 transport between switch and client, then you have that encapsulated within a radius packet which uses L3 between switch and radius server.

When dot1x is configured this in turn triggers a radius transaction between the switch and radius server.

I hope that helps.

Tarik Admani
*Please rate helpful posts*

Thanks Tarik for this valuable discussions, appreciated.

Thanks.

Ahmad.