Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2181
Views
45
Helpful
6
Replies

Dynamic VLAN assignment

aconticisco
Level 2
Level 2

‎09-28-2021 09:31 AM

Hi,

 

In this link this is setup and Switch ports are set to vlan access 10

https://integratingit.wordpress.com/2018/05/07/configuring-cisco-ise-dynamic-vlan-assignment/

 

Is this VLAN 10 configuration required to allow the user to login to the domain controller and than be re-assigned to another VLAN based on AD Group membership?

 

What are the options if access VLAN 10 is not configured on the Switch ports (so plugged in devices will only depend on 802.1x and what VLAN gets pushed to them), how can I identify a group of users (each with the own laptop) and place them in a specific VLAN?

In Policy Sets can I maybe add a check to see if a specific file is present (Could not see this option under Policy Sets) or there are other/better options?

 

Thanks

 

 

 

 

Labels:
6 Replies 6

Rob Ingram
VIP
VIP

‎09-28-2021 12:01 PM - edited ‎09-28-2021 12:45 PM

@aconticisco in the example VLAN 10 is the VLAN explictly configured on the interface, if VLAN 10 wasn't configured then the interface would be in the default VLAN 1, which best practice is that this VLAN should not be used.

 

During 802.1x authentication phase the computer does not have an IP address, only once authenticated/authorised does the DHCP process start and the computer gets an IP address in the correct VLAN, whether ISE changes the VLAN dynamically or the statically configured VLAN on the interface is used.

 

The example provided (although not demonstrated in detail) shows you how to authorise different AD user groups and assign the VLAN based on group membership. Your authorised rule would check "<External AD> ExternalGroups EQUALS <group name>" then apply the authorisation profile as per the example in the link. You would create multiple authorisation rules and profiles for each AD group you wish to dynamically assign the VLAN.

 

You don't need to check to see if a file is present to change the VLAN, but you can use ISE posture to check to see if a file is present.

aconticisco
Level 2
Level 2
In response to Rob Ingram

‎09-28-2021 01:42 PM - edited ‎09-28-2021 03:02 PM

ok so that VLAN 10 (just to keep with the same example) is important (probably mandatory for this setup) as it is the VLAN that allows the user to authenticate (are we saying this VLAN 10 should be allowed to talk to DC Server?) which as a result dynamic vlan will apply to respective new vlan according to the group the user is member of.

 

The question would be, how can I achieve the same purpose/functionality but without assigning VLAN 10, therefore the initial VLAN (we said it would be VLAN 1 if not defined) thus it would not have any DHCP or network access at all. Would this mean that we have to fall back to some certificate/file being present on the machine or there are still other options?

 

Goal remains the same - identify a group of users (each with their own laptop) and place them in a specific VLAN but without having an initial vlan configured and completely relying on 802.1x and dynamic vlan assignment.

 

Probably I need to find a flow diagram to understand the different stages of the communication/authentication.

 

Thanks 

 

 

Octavian Szolga
Level 4
Level 4

‎09-28-2021 11:52 PM

Hi,

 

Maybe it's not 100% clear how 802.1x works.

You have a machine that boots up, configured for 802.1x.
802.1x is Layer2 auth.

No DHCP, no IP address, no nothing happens up until you get authenticated by ISE and ISE tells that to your switch or WLC that you're ok.

 

If you have machine authentication, that means that you can place your machine in whatever AD (security) group, reference that group in ISE authorization rules and provide an authorization profile that tells the swich to apply to that session (and implicitly to your rule, meaning your AD group) a specific VLAN.

 

This means that when your power on your PC, 802.1x kicks in, auth complets succesfully and ISE returns a VLAN to the switch that is appplied to your switchport (other than the default VLAN).

Only after auth complets succesfully, DHCP starts, but the most important thing is that is starts when you're already member of the ISE assigned VLAN.

 

BR,

Octavian

aconticisco
Level 2
Level 2
In response to Octavian Szolga

‎09-29-2021 08:16 AM

Ok that VLAN 10 thought it was the first network the machine gets in and the 802.1x follows.

Now I understand that 802.1x is first and layer 2 so next step is understanding how I can either do:

 

Machine Authentication - getting ISE to check the AD group a machine is in and if it matches a specific one, dynamic vlan will kick in to place in desired VLAN. This check will only be needed for this group and it should be transparent for the user.

My understanding is that we will need to identify the computer objects of this group in advance and add them as members of an additional specific AD Group that ISE will check against. 

 

https://detailed.wordpress.com/2018/08/14/cisco-ise-machine-authentication/

 

AND/OR

 

ISE posture - We create/push a file via Group Policy to the machines (the ones owned by this group of users), then getting ISE to check that the file is present, if so dynamic vlan will kick in to place in desired VLAN

 

Let me know if you have any reference on how this would be applied?

 

Side Note: As I understand at this stage the machine (connected to the Switch) needs to be authenticated first as there is no way to authenticate the user (Since the user is not prompted to insert AD user/pass when plugging in to the network)

 

Appreciate all your input and explanation, definitely encourages to discover/use this product further...  

 

 

 

Rob Ingram
VIP
VIP
In response to aconticisco

‎09-29-2021 09:24 AM - edited ‎09-29-2021 09:51 AM

@aconticisco 

Yes the computer accounts would need to be added to an AD group or use Domain Computers if it applies to all computers.

The Computers need to be authenticated to the network to ensure AD GPOs are applied etc.

 

You could do ISE Posture, depending on your licensing this may cost you more money. You don't necessarily need to push down a file, you can do a registry check for domain membership or both.

 

If you dynamically assign the computer to VLAN x and the user to VLAN y this could cause issues when attempting to obtain an IP address for the user. Why do you even what to assign VLANs dynamically? If your goal is to limit access, why not leave the computer in the configured VLAN and apply a DACL or TrustSec SGT.

aconticisco
Level 2
Level 2
In response to Rob Ingram

‎09-30-2021 10:20 AM - edited ‎09-30-2021 10:40 AM

Agreed think it should be as follows:

 

  1. All computer accounts are already member of "Domain Computers" Group so we need to add these to another specific group to be referenced by ISE.
  2. I add the Computer AD Group to ISE from External Identity Sources/Active Directory/Groups
  3. Under Policy Elements / Results / Authorization Profile I add a profile so that dynamic VLAN applies  
  4. I add an Authorization Policy that includes the check to see if the Computer is member of the specified group and reference the Authorization Profile created in previous step (WIll place this policy above the generic one that catches all users as this will be very specific)

We do not currently check for user group membership so if this computer AD group membership is checked when laptop is plugged in it should work fine I think.

 

So 802.1x allows a lot of information to be passed through between the connected device (computer in this case) and ISE as I see there are a lot of options of what to include in the Policy Conditions and we said all this happens at Layer 2 - quite impressive.

Customers Also Viewed These Support Documents