Solved: ISE and VLAN assignment

andrew.chappelle · ‎07-31-2013

Hi All,

Can ISE place a connection into a VLAN based on MAC address? (Both wired and wireless).

Scenario is as follows:

•- Users are wired and wireless, distributed around the campus. There are a dozen VLANs, one per closet, that are dedicated to users.
•- Laptops are bad at least in the mind of the customer. So a laptop (wired or wireless) leaves the campus and returns; possibly with the plague.
•- For each closet we want to create a “restricted” VLAN for bad laptops; and a “good” VLAN for desktop users.
•- We have a list of all the laptop MAC addresses; and a list of all the desktop MAC addresses.
•- Can we see the laptop MAC address logging in; and place that laptop into a relevant “restricted” VLAN, based on location?
•- Likewise can we see all the other MAC addresses and place the user into a relevant “good” VLAN, based on location?

Thanks for your comments!

Andrew

bikespace · ‎07-31-2013

If you create a rule per location then yes.
If a rule per location is not suitable then you could use one rule, which dumps them in to a vlan based on the vlan name, but then you obviously need separate vtp domains per location.
Careful when you dynamically allocate vlans that you may need to change to port bounce for COA to allow DHCP to do its thing, which is a global setting up until version 1.2.
Version 1.2 also has other flexibilities which might be useful to you (nested rules so I believe you may be able to have one rule with multiple profiles based on location), but I've not played with them too much yet.

Sent from Cisco Technical Support iPhone App

View solution in original post

Ravi Singh · ‎07-31-2013

You have to create location based rule in ISE then it is possible. ISE 1.2 is providing lots of feature on location basis. Please check the release notes of ISE 1.2

View solution in original post

bikespace · ‎07-31-2013

If you create a rule per location then yes.
If a rule per location is not suitable then you could use one rule, which dumps them in to a vlan based on the vlan name, but then you obviously need separate vtp domains per location.
Careful when you dynamically allocate vlans that you may need to change to port bounce for COA to allow DHCP to do its thing, which is a global setting up until version 1.2.
Version 1.2 also has other flexibilities which might be useful to you (nested rules so I believe you may be able to have one rule with multiple profiles based on location), but I've not played with them too much yet.

Sent from Cisco Technical Support iPhone App

Ravi Singh · ‎07-31-2013

You have to create location based rule in ISE then it is possible. ISE 1.2 is providing lots of feature on location basis. Please check the release notes of ISE 1.2

andrew.chappelle · ‎08-01-2013

Bike, Ravi,

Thank you both for the quick and great responses. Very valuable info.

I still have reluctance to implement things this way for more of a human rather than technical reason.

The customer is proposing they will have two MAC adddress lists, one for "trusted" corporate devices and one for "not so trusted" devices. I see that being the weak link in the policy more than anything.

Again, thanks for the comments.

Andrew

vantoanbcvt.09081 · ‎07-24-2018

Hi,

I have a similar same. I configured mab authentication on 3750 cisco switch (Version 12.2(44r)SE3) for dynamic assigned vlan but when I pluged my laptop to switch port, my laptop cannot assign to desired vlan. Please take a look configured in my attached.