Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5369
Views
5
Helpful
3
Replies

Ise and authorization vlans

Giuliano Gerardi
Level 1
Level 1

ā€Ž07-24-2012 08:27 AM - edited ā€Ž03-10-2019 07:19 PM

ineed to know for sure  (and with detailed official documentation links or experience if possible)

if ISE for CoA accepts vlan names rather than vlan id numbers (multiple vtp domains: we have multiple vlan id numbers under the same consistant naming)

thank you in advance for your response

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

ā€Ž07-24-2012 09:03 AM

Guiliano,

The ise COA feature doesnt assign vlans, its entire purpose is to re-authorize the user or to bouce the port. When the COA is configured in ISE it is done globally, and the values are: none, reauth, and port bounce (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555531), however in your authorization policies most of the devices do support either vlan names or vlan ids in order for dynamic vlan assignment found in this configuration guide here (http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html#wp1066886)

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Giuliano Gerardi
Level 1
Level 1
In response to Tarik Admani

ā€Ž07-24-2012 10:46 AM

thank you for your explanation

but what I wanted to know is:

in the auth profiles I can assign a vlan dynamically by its VLAN ID and this is ok,

If i have a scenario in wich there are multiple vtp domains so that a VLAN named XXX is present everywhere but with different Vlan IDs (VLAN XXX = Vlan 13 for site 1  and  vlan 60 for site 2) will I be able to tell ISE to associate that vlan by its globally consistent naming to an authorization profile? ( identifying multiple vlan IDs under an unique Name?)

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Giuliano Gerardi

ā€Ž07-24-2012 10:48 AM

Not a problem, in the link that I posted at the end that is covered. Here is the comments that I was referring to:

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:

ā€“[64] Tunnel-Type = VLAN

ā€“[65] Tunnel-Medium-Type = 802

ā€“[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated user.

Thanks,

Tarik Admani
*Please rate helpful posts*

Customers Also Viewed These Support Documents