01-16-2020 07:58 AM
Hi all,
I am implementing DOT1x authentication on switch ports (wired network) at one of my customer.
Cumputers are in AD so we setup groups for sorting the computers and VLAN on port is assigned according the group the computer belongs. Till this time it was no problem.
Customer would like to utilize user authentication too - to get infomation about user behind the computer but implementing this I ran into the problem.
I triyed to setup ISE authorization rule where I used Network Access -> WasMachineAthenticated attribute and user authentication with result just permit access (no VLAN setting) but this results the switch access VLAN is setup on the port (it not keeps the VLAN configured dynamicly with previous Machine athentication/authorization).
And I did not find any way how to check computer AD group membership during user authentication.
Can someone get any advice, how to achive it?
Regards
Pavel
Solved! Go to Solution.
01-16-2020 08:13 AM
01-16-2020 08:13 AM
01-20-2020 04:48 AM
Yes, you are assuming right - customer now utilize Windows native supplicant.
I will try to test the scenarion with AC as supplicant (NAM module) with chained autehntication - thank you for the tip, but it is not relevant for customer just now - I will have to discuss possibility of changing/installing new software on customer PCs (Anyconnect).
Does anybody have some other idea how to achive the goal with Windows supplicant?
Thank you
01-28-2020 03:16 AM
01-18-2020 09:50 AM - edited 01-20-2020 06:18 PM
As long as the desired VLAN differing from the one configured on the switch interface, each of the resulting authorization profiles should have the desired VLAN setting sent down from ISE to the switch. You can't rely on using the same session ID to keep the VLAN override.
AFAIK this is how it works on Cisco IOS or IOS-XE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide