Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
4
Replies

ISE 2.4: 802.1x authz criteria by access vlan

Go to solution
Nadav
Level 7
Level 7

‎03-31-2019 02:07 AM

Hi everyone,

 

Is it possible to add the switchport's access vlan as a criteria for 802.1x authorization?

For example, check certificate AND (supplicant is connected to access vlan 1020 OR access vlan 1025). Only then permit access.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Nadav

‎03-31-2019 09:52 AM

Hi,
This is certainly possible using IBNS 2.0, you need to create an attribute list and include the vlan-id. E.g:-

 

access-session attributes filter-list list ATT_LIST
 vlan-id
access-session authentication attributes filter-spec include list ATT_LIST
access-session accounting attributes filter-spec include list ATT_LIST

 

The ISE AuthZ rule would check for the condition "Radius:Tunnel-Private-Group -ID CONTAINS DATA" - where DATA is the name of the vlan

 

SWI-2#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24
10 VLAN0010 active
11 DATA active Gi0/2, Gi0/3, Gi0/4, Gi0/5

 

Reference here

 

HTH

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marce1000
VIP
VIP

‎03-31-2019 02:41 AM

 

 - The supplicant is not connected to a VLAN but runs on the end-host. You define in in the ISE-policy which VLAN the host will be put in.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to marce1000

‎03-31-2019 02:53 AM

Hi,

 

Not quite what I'm asking. I'm not interested in assigning VLAN dynamically by policy, but rather receive the switchport's existing access VLAN as part of the access-request (or any other mechanism). 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Nadav

‎03-31-2019 09:52 AM

Hi,
This is certainly possible using IBNS 2.0, you need to create an attribute list and include the vlan-id. E.g:-

 

access-session attributes filter-list list ATT_LIST
 vlan-id
access-session authentication attributes filter-spec include list ATT_LIST
access-session accounting attributes filter-spec include list ATT_LIST

 

The ISE AuthZ rule would check for the condition "Radius:Tunnel-Private-Group -ID CONTAINS DATA" - where DATA is the name of the vlan

 

SWI-2#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14
Gi0/15, Gi0/16, Gi0/17, Gi0/18
Gi0/19, Gi0/20, Gi0/21, Gi0/22
Gi0/23, Gi0/24
10 VLAN0010 active
11 DATA active Gi0/2, Gi0/3, Gi0/4, Gi0/5

 

Reference here

 

HTH

 

 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Rob Ingram

‎03-31-2019 10:07 AM

Thanks,


IBNS 2.0 requires fairly modern hardware (3850 and later, for example). Any idea for a solution based on the 3750 platform?

0 Helpful
Customers Also Viewed These Support Documents