09-09-2013 07:25 PM - edited 03-10-2019 08:52 PM
Hi,
We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
Anyone have any ideas how I might achieve my goal?
Thanks
Alan
09-19-2013 10:53 PM
Hi
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
• A profile name
• A profile description
• An associated DACL
• An associated VLAN
• An associated SGACL
• Any number of other dictionary-based attributes
10-18-2013 04:58 PM
I hope you should use data flow monitoring tool.
Cisco NetFlow data records exported by routers and switches consist of expired traffic flows with detailed traffic statistics useful to monitor bandwidth and network traffic analysis. These flows contain information about source and destination IP addresses along with the protocols and ports used in the end-to-end conversation.
10-21-2013 02:01 PM
Do you mean you handle the off-campus switches as NADs and control each of those switchports with ISE?
Why do you need to differentiate based on port number?
10-21-2013 03:51 PM
Hi Peter,
No - I don't mean to handle the off-campus switches as NADs.
The reason I may need to differeniate according to port number is the external switches over which I have no control will, in all probability, be connecting to a single switchport in my network. The users concerned will have different rights depending on whether they are connecting from Halls of Residence which are not owned an operated by the university or whether they are connecting on-campus. It's all to do with how I write my authorization policies.
The good news is that thanks to the information I have received I've figured out what I need to do.
Thanks to all who have helped - sorry I didn't reply to all posts individually but you have all been a great help.
10-21-2013 11:05 PM
So you're planning cascading switches and make the 802.1X frames from off-campus clients appear on that single switchport? I'm afraid that's not possible as the remote switch would not forward EAPOL frames. Only hubs are suitable for such multi-auth scenarios.
There is a technology called Network Edge Access Topology (NEAT) that resembles your needs but the ADSL part is still an obstacle.
11-05-2013 02:48 PM
Thanks to all who have answered here - it has given me a lot of useful information. However as we have progressed in our design and testing phase we have moved away from the idea of using multi-auth as a solution. We are now looking at security group tags for all our security requirements.
Regards
Alan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide