Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2066
Views
3
Helpful
3
Replies

IBNS 2.0 RADIUS send switchport access vlan

Go to solution
mstraessle
Level 4
Level 4

‎09-06-2017 08:18 AM

I am looking for a solution for the following requirement:

In IBNS 2.0 I need to get the informations about the configured "swicthport access vlan" from the requesting switch.

Since the switch itself knows the static configured vlan from the port-configuration, it should be possible to integrate this into the MAB Call-Check in the same way as I have the SSID in the WLAN RADIUS request's in the calling-station ID.

But either the "feature" is not supported, or I am very bad in google-ing and reading RFC's that I missed the correct hint.

You probably ask: Why the hell we need this? The use-case is simple: different OU or companies are using MAB on different directories. And instead of a authentication sequence for 10 or more OU's, I would like to dispatch the MAB lookup to the correct directory when arrive on ISE using external RADIUS Servers.

Any idea how to instruct IOS 15.x to do so? I tried all possible commands using "radius-server attribute xxx", but was not successful so far.

Thanks, Marco

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2017 10:14 PM

Yes, it should work as long as you are running 15.2(2)E/3.6.0E/15.2(1)SY and higher and with following commands. The VLAN ID & VLAN Name are carried in Tunnel-Private-Group attribute. Following is the configuration you need to add it to the AuthC request:

switch(config)#access-session attributes filter-list list custom-name

switch(config-com-filter-list)#vlan-id

switch(config-com-filter-list)#exit

switch(config)#

switch(config)#access-session authentication attributes filter-spec include list custom-name

FYI, you can also do the same for the older IOS (12.2(53)SE2), but works only with MAB request and the VLAN ID is carried in NAS ID field.

switch(config)#mab request format attribute 32 vlan access-vlan

View solution in original post

3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-15-2017 10:14 PM

Yes, it should work as long as you are running 15.2(2)E/3.6.0E/15.2(1)SY and higher and with following commands. The VLAN ID & VLAN Name are carried in Tunnel-Private-Group attribute. Following is the configuration you need to add it to the AuthC request:

switch(config)#access-session attributes filter-list list custom-name

switch(config-com-filter-list)#vlan-id

switch(config-com-filter-list)#exit

switch(config)#

switch(config)#access-session authentication attributes filter-spec include list custom-name

FYI, you can also do the same for the older IOS (12.2(53)SE2), but works only with MAB request and the VLAN ID is carried in NAS ID field.

switch(config)#mab request format attribute 32 vlan access-vlan

Go to solution
mstraessle
Level 4
Level 4
In response to howon

‎11-27-2017 10:52 PM

It seams that the command above "access-session attributes filter-list list custom-name" is not available in IOS 15.2-2.E5 on my 2960S-48...

I mean: I have been gine through:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-vlan-dot1x-auth-request.pdf

And thesre are my options:

switch(config)#access-session ?

  accounting             Set the attribute providers accounting information

  acl                    Application of ACLs on access-session

  cache                  Set cache configuration

  interface-template     Set the interface-template sticky globally

  mac-move               Set required action when a MAC move is detected

  monitor                Apply template to monitor access sessions on the port

  passthru-access-group  IP access-list map to FQDN ACL

  tunnel vlan            Set Tunnel Vlan Id

  vlan-assignment        set the partial vlan attrib setting globally

switch#sh ver

Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.2(2)E5, RELEASE SOFTWARE (fc2)

...

Can you explain what are the prerequisites for it? It is also referenced in BRK-SEC2691 (2015) Slide 58, but not accepted by IOS...

I am running IBNS 2.0 in new-style mode. Whatever, "mab request format attribute 32 vlan access-vlan" does fullfill my requerements so far...

Thanks

0 Helpful

Go to solution
mstraessle
Level 4
Level 4
In response to mstraessle

‎01-30-2018 12:42 AM

I found the answer to my question, which is quite simple:

"It is not supported on C2960S" but it is nowhere written, but between the lines ther is a Statement like this:

IOS 15.2(3)E: The following commands were introduced or modified:  "access-session attributes filter-list list"

But there is no IOS 15.2(3)E for my type of Switch, which makes it simple to answer.

BTW: Feature Navigator is crappy: If I choose the corresponding Feature: "VLAN RADIUS Attributes in Access Requests" I get the following Output:

"The feature combination you searched on is not in any supported Cisco software releases in this tool. Please change the feature combination and search again."

Seams to be a typical Cisco Software...

0 Helpful
Customers Also Viewed These Support Documents