Vlan ID in authorisation template from a network device attribute.

jpujol · ‎12-19-2018

Hi,

Does anybody know if it is possible to return in an authorisation template a VLAN number which would be taken from any particular network device attribute ?

A large deployment is on hold because the customer is using VTP (!) and that requires to specify the correct vlanID per switch (without having a dedicated policy entry per switch).

I made a try by creating a custom group hierarchy with the vlanID as the group name, but it doesn't help because the complete group hierarchy (including # # # ...) is returned instead of the latest value only :

what I tested : Tunnel-Private-Group-ID = 1:DEVICE:Data_Vlan

Is there another custom attribute attached to a network device I could use for that purpose ? (to store the VlanID only)

Thanks in advance,

Jean-Francois

hslai · ‎12-19-2018

This VLAN attribute may take values other than a numeric ID. Examples are VLAN names and VLAN group names. This way, we may use the same text string which translates to different VLAN IDs on the switches.

If you have to use a custom attribute, then no, ISE does not take it from a NAD. Instead, you would need another means; e.g. add a custom attribute for endpoints.

jpujol · ‎12-20-2018

Hi,

With the use of VTP, all vlans are presents on all switches, and the vlan name cannot be localised per switch.

Anyway, the vlan name is defined on the switch, so that requires a configuration change on every switch.

I was looking for a way to centralise this by using an attribute in ISE instead of something configured on the switch.

There is a way to do it by defining a policy rule per switch, but the size of policy table explodes in that case ...

Thanks anyway ...

hslai · ‎12-21-2018

Consider VLAN Groups, perhaps. See What is the purpose of "vlan group"? - 28500 - The Cisco Learning Network