Solved: Re: Keep VLAN on switch port

pnavratil · ‎01-16-2020

Hi all,

I am implementing DOT1x authentication on switch ports (wired network) at one of my customer.

Cumputers are in AD so we setup groups for sorting the computers and VLAN on port is assigned according the group the computer belongs. Till this time it was no problem.

Customer would like to utilize user authentication too - to get infomation about user behind the computer but implementing this I ran into the problem.

I triyed to setup ISE authorization rule where I used Network Access -> WasMachineAthenticated attribute and user authentication with result just permit access (no VLAN setting) but this results the switch access VLAN is setup on the port (it not keeps the VLAN configured dynamicly with previous Machine athentication/authorization).

And I did not find any way how to check computer AD group membership during user authentication.

Can someone get any advice, how to achive it?

Regards

Pavel

Mike.Cifelli · ‎01-16-2020

I assume you are/were originally onboarding endpoints via the built-in native supplicant for windows machines? Please advise if this is incorrect. Some helpful info: In order to support both user + comp auth you need to utilize eap-chaining via eap-fast. This means you would need to utilize Cisco Anyconnect with the NAM module in order to accomplish that scenario. Using the NAM profile editor you can see how you can setup both computer & user auth. Then you can setup ISE authz conditions as you wish to drive network policy, but one of the main conditions you will want to utilize is the 'NetworkAccess:EapChainingResult EQUALS (user/comp pass; user pass/comp fail; user fail, comp pass). I think most would agree that using NAM for eap-chaining purposes is more difficult than utilizing something like endpoint onboarding via eap-tls and native supplicant (from a windows perspective). However, eap-chaining definitely has additional benefits HTH!

View solution in original post

Mike.Cifelli · ‎01-16-2020

I assume you are/were originally onboarding endpoints via the built-in native supplicant for windows machines? Please advise if this is incorrect. Some helpful info: In order to support both user + comp auth you need to utilize eap-chaining via eap-fast. This means you would need to utilize Cisco Anyconnect with the NAM module in order to accomplish that scenario. Using the NAM profile editor you can see how you can setup both computer & user auth. Then you can setup ISE authz conditions as you wish to drive network policy, but one of the main conditions you will want to utilize is the 'NetworkAccess:EapChainingResult EQUALS (user/comp pass; user pass/comp fail; user fail, comp pass). I think most would agree that using NAM for eap-chaining purposes is more difficult than utilizing something like endpoint onboarding via eap-tls and native supplicant (from a windows perspective). However, eap-chaining definitely has additional benefits HTH!

pnavratil · ‎01-20-2020

Yes, you are assuming right - customer now utilize Windows native supplicant.

I will try to test the scenarion with AC as supplicant (NAM module) with chained autehntication - thank you for the tip, but it is not relevant for customer just now - I will have to discuss possibility of changing/installing new software on customer PCs (Anyconnect).

Does anybody have some other idea how to achive the goal with Windows supplicant?

Thank you

pnavratil · ‎01-28-2020

I test the chained EAP authentication using Anyconnect NAM module and was able to achieve the goal - to have authenticated both computer and user end assign VLAN according machine authentication.

hslai · ‎01-18-2020

As long as the desired VLAN differing from the one configured on the switch interface, each of the resulting authorization profiles should have the desired VLAN setting sent down from ISE to the switch. You can't rely on using the same session ID to keep the VLAN override.

AFAIK this is how it works on Cisco IOS or IOS-XE.