Solved: Re: Radius distant site

Teayuu · ‎03-12-2019

Hi

I'm working on a Windows radius server.

The radius authenticate by computers name and MAC address so they get specific VLAN.

Let's take an example:

I authenticate by computer name so i get VLAN 2.

If i need to go to a distant site it will still get VLAN 2 but i want the computer to get the VLAN from the distant site.

Is it possible ?

If yes then which policy do i need to configure ?

Thank you for your attention.

Teayuu · ‎03-18-2019

Hello, thank you for your anwser.

So i did a new network policy, using the name of the client (in my situation it's a switch) then it work.

example: if the request is from switch A and it's a computer in the AD group then assign VLAN A

if the request is from switch B and it's a computer in the AD group then assign VLAN B.

View solution in original post

paul · ‎03-13-2019

You can either create rules based on network device or location names:

If Location A then VLAN X.
If Location B then VLAN Y.

That doesn't scale well. The better solution is to use a consistent VLAN naming scheme and pass the VLAN name not the VLAN #.

Location A has VLAN 2 name "Data".
Location B has VLAN 20 named "Data".
ISE results assigns VLAN "Data".

This allows the user to fall onto the correct VLAN not matter the location.

Teayuu · ‎03-18-2019

Hello, thank you for your anwser.

So i did a new network policy, using the name of the client (in my situation it's a switch) then it work.

example: if the request is from switch A and it's a computer in the AD group then assign VLAN A

if the request is from switch B and it's a computer in the AD group then assign VLAN B.

paul · ‎03-18-2019

That solution works, but doesn't scale well if you have many sites. You are better using a standardize VLAN naming scheme and passing the VLAN name instead of the #. Glad you got a solution that works.

Teayuu · ‎03-19-2019