02-01-2016 09:02 AM
Dear Colleagues,
We have an opportunity in UK. Public Sector where the customer wishes to “lease” parts of its switch stacks (some ports on their switch stacks) to another government organization.
Ideally they would use their own ISE deployments if it was possible. However as far as I know we can only have a single RADIUS server group configured per switch(stack) for 802.1X. I have read the IBNS 2.0 document as well and seemingly with its great complexity flexibility it is not possible to have different RADIUS groups used in different port policies.
The questions are:
Any help would be highly appreciated.
Best regards,
Istvan
Istvan Segyik
Escalations Engineer, Security
CCIE Security #47531
Global Virtual Engineering
WW Partner Organization
Cisco Systems, Inc
Email: isegyik@cisco.com
Work: +36 1 2254604
Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)
02-01-2016 02:17 PM
Istvan, with IBNS 2.0 it is possible though I personally have not tested around that use case so answering with reserve here. I recommend testing this out to make sure it works as expected. Also, to get better answer on the switching features, I suggest hitting up Enterprise Networks as well.
With that in mind, when using IBNS 2.0 one can define multiple named server list for different RADIUS servers. For instance one can define set of RADIUS servers for city-hall and another set for court-room. Once named server list are created, it can be be used in the AAA definition and interface templates. Once separate interface templates have been created, one can apply them to separate interface groups. Following example shows relevant configuration needed to get you started (This configuration is by no means complete):
aaa authentication dot1x CITY-HALL group CITY-HALL
aaa authentication dot1x COURT-ROOM group COURT-ROOM
aaa authorization network CITY-HALL group CITY-HALL
aaa authorization network COURT-ROOM group COURT-ROOM
!
dot1x system-auth-control
!
aaa group server radius CITY-HALL
server name ISE01
!
aaa group server radius COURT-ROOM
server name ISE02
!
policy-map type control subscriber COURT-ROOM
event session-started match-all
10 class always do-all
10 authenticate using dot1x aaa authc-list COURT-ROOM priority 10
20 authenticate using mab aaa authc-list COURT-ROOM priority 20
!
policy-map type control subscriber CITY-HALL
event session-started match-all
10 class always do-all
10 authenticate using dot1x aaa authc-list CITY-HALL priority 10
20 authenticate using mab aaa authc-list CITY-HALL priority 20
!
interface GigabitEthernet x/y/z
description CITY-HALL Enabled Ports
switchport access vlan 110
switchport mode access
switchport voice vlan 111
access-session host-mode multi-domain
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber CITY-HALL
access-session port-control auto
!
interface GigabitEthernet a/b/c
description COURT-ROOM Enabled Ports
switchport access vlan 210
switchport mode access
switchport voice vlan 211
access-session host-mode multi-domain
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber COURT-ROOM
access-session port-control auto
!
radius server ISE01
address ipv4 x.x.x.x
key xxxxx
!
radius server ISE02
address ipv4 x.x.x.x
key xxxxx
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide