Solved: Radius Proxy - Restricting Dynamic VLAN Assignment

KatherineTran · ‎11-16-2022

Hi All,

When relying on an external proxy server for the return VLAN (as they have the identity information for the authorisation policy) is there any way we can define on ISE what VLANs they are actually allowed to return?

I think this could be a security issue if we are trusting external proxy servers to return dynamic VLAN information. Any idea?

Kind Regards

KT

KatherineTran · ‎11-17-2022

Thanks for the response. Unfortunately, we need the authorisation policy to be returned by the external RADIUS server as it has the identity information. From my googling - I don't think it's possible on ISE!

View solution in original post

Greg Gibbs · ‎11-16-2022

The only option I can think of that might work would be to enable the "On Access-Accept, continue to Authorization Policy" option in your RADIUS Server Sequence > Advanced Attribute Settings to let ISE perform Authorization.
You would then create AuthZ Policies with a matching condition like 'Radius·Tunnel-Private-Group-ID EQUALS <id/name>' with a resulting AuthZ Profile that sends the same VLAN in the response. If none of the defined AuthZ Policies in ISE are matched, it will respond with an Access-Reject.

I don't know if this will work, so you would need to test it in your environment.

KatherineTran · ‎11-17-2022

Thanks for the response. Unfortunately, we need the authorisation policy to be returned by the external RADIUS server as it has the identity information. From my googling - I don't think it's possible on ISE!

hslai · ‎11-19-2022

@KatherineTran, You are correct. VLAN is a tagged attribute and that is not being handled by what Greg described.