cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1728
Views
3
Helpful
3
Replies

IBNS 2.0 RADIUS send switchport access vlan

mstraessle
Level 4
Level 4

I am looking for a solution for the following requirement:

In IBNS 2.0 I need to get the informations about the configured "swicthport access vlan" from the requesting switch.

Since the switch itself knows the static configured vlan from the port-configuration, it should be possible to integrate this into the MAB Call-Check in the same way as I have the SSID in the WLAN RADIUS request's in the calling-station ID.

But either the "feature" is not supported, or I am very bad in google-ing and reading RFC's that I missed the correct hint.

You probably ask: Why the hell we need this? The use-case is simple: different OU or companies are using MAB on different directories. And instead of a authentication sequence for 10 or more OU's, I would like to dispatch the MAB lookup to the correct directory when arrive on ISE using external RADIUS Servers.

Any idea how to instruct IOS 15.x to do so? I tried all possible commands using "radius-server attribute xxx", but was not successful so far.

Thanks, Marco

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Yes, it should work as long as you are running 15.2(2)E/3.6.0E/15.2(1)SY and higher and with following commands. The VLAN ID & VLAN Name are carried in Tunnel-Private-Group attribute. Following is the configuration you need to add it to the AuthC request:

switch(config)#access-session attributes filter-list list custom-name

switch(config-com-filter-list)#vlan-id

switch(config-com-filter-list)#exit

switch(config)#

switch(config)#access-session authentication attributes filter-spec include list custom-name

FYI, you can also do the same for the older IOS (12.2(53)SE2), but works only with MAB request and the VLAN ID is carried in NAS ID field.

switch(config)#mab request format attribute 32 vlan access-vlan

View solution in original post

3 Replies 3

howon
Cisco Employee
Cisco Employee

Yes, it should work as long as you are running 15.2(2)E/3.6.0E/15.2(1)SY and higher and with following commands. The VLAN ID & VLAN Name are carried in Tunnel-Private-Group attribute. Following is the configuration you need to add it to the AuthC request:

switch(config)#access-session attributes filter-list list custom-name

switch(config-com-filter-list)#vlan-id

switch(config-com-filter-list)#exit

switch(config)#

switch(config)#access-session authentication attributes filter-spec include list custom-name

FYI, you can also do the same for the older IOS (12.2(53)SE2), but works only with MAB request and the VLAN ID is carried in NAS ID field.

switch(config)#mab request format attribute 32 vlan access-vlan

It seams that the command above "access-session attributes filter-list list custom-name" is not available in IOS 15.2-2.E5 on my 2960S-48...

I mean: I have been gine through:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-vlan-dot1x-auth-request.pdf

And thesre are my options:

switch(config)#access-session ?

  accounting             Set the attribute providers accounting information

  acl                    Application of ACLs on access-session

  cache                  Set cache configuration

  interface-template     Set the interface-template sticky globally

  mac-move               Set required action when a MAC move is detected

  monitor                Apply template to monitor access sessions on the port

  passthru-access-group  IP access-list map to FQDN ACL

  tunnel vlan            Set Tunnel Vlan Id

  vlan-assignment        set the partial vlan attrib setting globally

switch#sh ver

Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.2(2)E5, RELEASE SOFTWARE (fc2)

...

Can you explain what are the prerequisites for it? It is also referenced in BRK-SEC2691 (2015) Slide 58, but not accepted by IOS...

I am running IBNS 2.0 in new-style mode. Whatever, "mab request format attribute 32 vlan access-vlan" does fullfill my requerements so far...

Thanks

I found the answer to my question, which is quite simple:

"It is not supported on C2960S" but it is nowhere written, but between the lines ther is a Statement like this:

IOS 15.2(3)E: The following commands were introduced or modified:  "access-session attributes filter-list list"

But there is no IOS 15.2(3)E for my type of Switch, which makes it simple to answer.

BTW: Feature Navigator is crappy: If I choose the corresponding Feature: "VLAN RADIUS Attributes in Access Requests" I get the following Output:

"The feature combination you searched on is not in any supported Cisco software releases in this tool. Please change the feature combination and search again."

Seams to be a typical Cisco Software...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: