Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3451
Views
5
Helpful
3
Replies

Dynamic Vlan Assignment

Go to solution
Not applicable

‎01-17-2013 01:39 PM - last edited on ‎03-10-2019 07:59 PM by

All,

I'm looking for a means to secure interfaces configured in an admin vlan.

In an ideal world the interface would be configured with the admin vlan if the device is somehow identified (not necessarily authenticated). In the event that the device isn't identified it fails back to a standard device vlan.

I've had a look at VMPS but understand that this is a dying feature and would be a poor idea to implement it. The alternative appears to be passing a vlan tag as a RADIUS attribute.

I'd be keen to know if anybody can make any suggestions as to how I could implement this? Ideally it needs to be simple with fewer complexities to go wrong.

To add to this, devices are hanging off of IP phones which aren't Cisco.

Any help would be appreciated.

Neil                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎01-27-2013 05:01 AM

Hi Neil,

To add to what Tarik said, I would also describe that can be used with whatever radius server you have.

in ISE (Tarik, correct me if I am wrong) the devices and getting profiled automatically depending on many attributes and the device can be distinguished if it is an ip phone, laptop, ipad...etc. and based on that the VLAN assignmed is applied.

With other radius servers you need to statically specify what VLANs should the users be put in. The VLAN assignment is being done based on username the user is using OR the mac address the device provides.

Two weeks ago I implemented the same scenario using cisco ACS 5.3 radius server where users have multiple AD users and some other devices (ip phones, network printers...etc) and the VLAN assignment happens based on the AD group or the type of the device.

I manually added the mac addresses of priners in a group, ip phones in different group..etc. and I configured the ACS to assign the VLAN based on that gorup. with ISE what I know is it detects the device type automatically (you have to configure a profile for device types though) and based on that it assigns a VLAN.

You need to notice one thing though, if you are configuring the switch for the dot1x authentication you need to add a configuraiton in the radius in order to tell the switch to use teh VOICE vlan (not DATA vlan) for the phones. Otherwise the phone will use DATA VLAN when authenticated and not the voice VLAN which makes only one device; the phone or the PC attached to it, to work.

If you use cisco switches, you need to return to cisco-av-pair attribute with value "device-traffic-class=voice" to the phones when they authenticate. I used this with non-cisco phones and it works like a charm.

Let us know if there is anything else you need to know about dynamic vlan assignment.

I hope that was useful to you.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-17-2013 11:09 PM

ISE would be your best bet, you can configure MAB on the the ports and use profiling to profile the devices. So if a phone is profiled they get assigned to the voice vlan, the client behind it can be identified via dhcp attributes..etc. Then you can assign them to the admin vlan, while setting the default vlan on the port.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎01-27-2013 05:01 AM

Hi Neil,

To add to what Tarik said, I would also describe that can be used with whatever radius server you have.

in ISE (Tarik, correct me if I am wrong) the devices and getting profiled automatically depending on many attributes and the device can be distinguished if it is an ip phone, laptop, ipad...etc. and based on that the VLAN assignmed is applied.

With other radius servers you need to statically specify what VLANs should the users be put in. The VLAN assignment is being done based on username the user is using OR the mac address the device provides.

Two weeks ago I implemented the same scenario using cisco ACS 5.3 radius server where users have multiple AD users and some other devices (ip phones, network printers...etc) and the VLAN assignment happens based on the AD group or the type of the device.

I manually added the mac addresses of priners in a group, ip phones in different group..etc. and I configured the ACS to assign the VLAN based on that gorup. with ISE what I know is it detects the device type automatically (you have to configure a profile for device types though) and based on that it assigns a VLAN.

You need to notice one thing though, if you are configuring the switch for the dot1x authentication you need to add a configuraiton in the radius in order to tell the switch to use teh VOICE vlan (not DATA vlan) for the phones. Otherwise the phone will use DATA VLAN when authenticated and not the voice VLAN which makes only one device; the phone or the PC attached to it, to work.

If you use cisco switches, you need to return to cisco-av-pair attribute with value "device-traffic-class=voice" to the phones when they authenticate. I used this with non-cisco phones and it works like a charm.

Let us know if there is anything else you need to know about dynamic vlan assignment.

I hope that was useful to you.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Amjad Abdullah

‎01-27-2013 11:33 AM

Amjad,

You are correct.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents