Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14446
Views
10
Helpful
8
Replies

Dynamic vlan with Cisco ise

Go to solution
munish.dhiman1
Level 1
Level 1

‎08-30-2019 09:18 AM

Hi All,

 

Need your help to understand the scenario below.

 

1 building with two floors and each floor has Cisco switch and we want to implement Cisco ise role based access.

 

Two groups HR and sales has been created in the AD which is integrated with ISE.

 

how can we configure switches in such a way , where single port can be used to assign different vlan for HR and Sales on the same port.

 

if sales person connects the port 2 and enter 802.1x credential ,gets vlan 10 . And if HR connects to the same port after sales disconnects and get vlan 20.

 

Is this achievable in wired 802.1x implementation?

 

Regards,

MD

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-30-2019 10:55 AM

You can accomplish what you are attempting to do in a wired 8021x implementation. You have a lot to determine though before making deployment decisions. Some items you are going to want to consider are:
-What supplicant do you intend on using (native os OR AnyConnect NAM)?
-Do you want to authenticate users, computers, or both? This answer will drive your answer for the first question.
-Are you wanting to use eap-tls?
-How do you plan to get certificates for computers/users?
-Do you have an internal PKI?
-What are the requirements from an authentication perspective for your customer? How often must they re-authenticate?
Additional comments:
if sales person connects the port 2 and enter 802.1x credential ,gets vlan 10 . And if HR connects to the same port after sales disconnects and get vlan 20.
You should rely on ISE to push your vlans, and then have some sort of auth fallback. Then it would not matter who plugs in where, ISE will authorize the end client/user according to your ISE policies you setup.
As far as configuration from a switch perspective, and just an 8021x understanding here are some helpful things:
Free tutorials: http://www.labminutes.com/video/sec
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html
https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/security/configuration/guide/sc40crsbook_chapter1.html
Good luck & HTH!

View solution in original post

8 Replies 8

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎08-30-2019 09:23 AM

 

 - Perfectly , but  you will have to study basic ISE and administration, and ISE switch config guides for ISE too.

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-30-2019 10:30 AM

You can do dynamic VLAN assignment using ISE.  Assuming you are doing 802.1x user authentication, you could have an authorization rule that matches on AD group membership to HR and if matches, then assign VLAN X.  If in Sales AD group, then assign VLAN Y.  If your VLAN numbers are not consistent across switches, you could do the assignment using VLAN names.  But it is case sensitive and you must ensure the names are consistent across all of the switches.  On the switch, you just configure a default data VLAN.  Once authenticated/authorized, ISE will push down the Radius attributes to tell the switch to assign the right VLAN.  "show run" would still show the configured VLAN but if you do a "show vlan", you would see that the port is on whichever VLAN ISE dynamically assigned.

 

With all of that said, I do not recommend doing dynamic VLAN assignment for PCs.  When the machine first connects, it will be on the default VLAN for the switchport and it will get an IP address from that subnet.  Once user authentication passes, the VLAN will change which means the IP address will change as well.  The problem is that changing IP addresses while logging in or first connecting will break GPO's being applied, login scripts, or drive mappings.  Just be aware of that.

Go to solution
jordanburnett
Level 4
Level 4
In response to Colby LeMaire

‎08-30-2019 10:42 AM

Have you seen this issue while using AnyConnect, or just the native supplicant? 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to jordanburnett

‎08-30-2019 12:02 PM

It doesn't matter which supplicant you use.  Bottom line is that upon initial connection, the port will be in the default/configured VLAN.  The PC will immediately get an IP address for that VLAN/subnet.  Then Microsoft starts doing its thing to connect to domain controllers, process GPO's, login scripts, drive mappings, etc.  At the same time, the user authenticates and the supplicant sends the user credentials.  ISE responds with the Access-Accept and the dynamic VLAN assignment instructions to put the port in whatever VLAN the user is supposed to get.  That will cause the PC to request a new IP address since it detects a link state change.  It gets a new IP address in the dynamically assigned VLAN.  Meanwhile, the GPO's and other things that were processing in the background got interrupted because of the IP change.

 

Customers that have tried this in the past with 802.1x or even NAC Appliance have had to try solutions like scripts that are triggered on the PC to restart the login scripts and drive mappings to try to work around the issue.  For me, it is too intermittent to even recommend to my customers.

0 Helpful

Go to solution
UN Minustah
Level 1
Level 1
In response to Colby LeMaire

‎09-02-2020 02:26 AM

That's a pretty helpful comment Colby, thanks.

I have a scenario for non dot1x devices such as printers and APS where in my authorization policy, I have a dacl pushed by ISE and a dynamic vlan as well.

Now, the dacl gets pushed and I can see the device on the right vlan if I do show vlan, however, the device can never get an ip on the intended subnet.

What do you think could be the issue?

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to UN Minustah

‎09-02-2020 06:44 AM

Could be a number of things:

- Make sure your pre-auth ACL on the interface and the dACL are allowing DHCP (permit udp any eq bootpc any eq bootps).

- Does the new VLAN have an SVI interface (interface vlan x) and does that interface have an "ip helper-address" command on it to point to the DHCP server?

- If DHCP Snooping is enabled on that VLAN, you have to make sure that the interface leading to your DHCP server is set to trusted.  Or if you are using DHCP Snooping primarily for Device Sensor profiling and don't want to enforce, then you can use the command "ip dhcp snooping glean" for it to operate in a read-only mode where it doesn't enforce.

Those are the most common issues.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to UN Minustah

‎09-02-2020 03:28 PM

This is the problem with dynamic VLAN assignment. Either the endpoint needs to have the ability to detect a VLAN change so it can request a new IP address in the new VLAN, or you have to use other methods to work around it. Some of the methods customers have used to work around this issue:

  1. Block DHCP in your pre-auth ACL configured on the switchport. This will prevent the endpoint from getting an IP address in the initial VLAN. Some endpoints, however, might give up too quickly and go into a holding state before the authZ completes.
  2. Have a starting VLAN with a super aggressive DHCP lease timer (like 5 seconds; not possible with Windows-based DHCP servers). Once the endpoint is in the resulting VLAN/subnet, it will get a new IP address with a normal lease.
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-30-2019 10:55 AM

You can accomplish what you are attempting to do in a wired 8021x implementation. You have a lot to determine though before making deployment decisions. Some items you are going to want to consider are:
-What supplicant do you intend on using (native os OR AnyConnect NAM)?
-Do you want to authenticate users, computers, or both? This answer will drive your answer for the first question.
-Are you wanting to use eap-tls?
-How do you plan to get certificates for computers/users?
-Do you have an internal PKI?
-What are the requirements from an authentication perspective for your customer? How often must they re-authenticate?
Additional comments:
if sales person connects the port 2 and enter 802.1x credential ,gets vlan 10 . And if HR connects to the same port after sales disconnects and get vlan 20.
You should rely on ISE to push your vlans, and then have some sort of auth fallback. Then it would not matter who plugs in where, ISE will authorize the end client/user according to your ISE policies you setup.
As far as configuration from a switch perspective, and just an 8021x understanding here are some helpful things:
Free tutorials: http://www.labminutes.com/video/sec
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html
https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-0/security/configuration/guide/sc40crsbook_chapter1.html
Good luck & HTH!
Customers Also Viewed These Support Documents