Solved: Re: Using VLAN or IP Subnet as condition in Authz Policy

rroulhac · ‎06-02-2017

Hello All,

IS there any way for us to use a VLAN or IP Subnet as a condition that would cause us to hit an Authz Policy?

It seems that some level of access ould have to be given initially so that the user could be placed in a vlan and get an IP address but once that is done can we then use that info to filter that user and force them to hit an authorization policy to then be given a specific authorization profile.

--

Grace and Peace,

Robert E Roulhac Jr

ldanny · ‎06-03-2017

Hi,

For Address space conditions see "Network Conditions" on the left of the snap shot

For Vlans you can use the following radius attributes as conditions:

Tunnel-Medium-Type

Tunnel-Pvt-Group-ID

Tunnel-Type

Hope this helps

View solution in original post

ldanny · ‎06-03-2017

Hi,

For Address space conditions see "Network Conditions" on the left of the snap shot

For Vlans you can use the following radius attributes as conditions:

Tunnel-Medium-Type

Tunnel-Pvt-Group-ID

Tunnel-Type

Hope this helps

umahar · ‎06-05-2017

By default Radius requests wont sent the below attributes

Tunnel-Medium-Type

Tunnel-Pvt-Group-ID

Tunnel-Type

This is supported in IBNS 2.0 and VLAN attributes are present in Radius Requests.

I have tested it and it works well.

Please see below link

Re: Send VLAN in Radius Request Packet to make Policies on ISE based on VLAN