cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3254
Views
10
Helpful
11
Replies

WLC+ISE dynamic VLAN and mDNS

newfabcom
Level 1
Level 1

Hi, I am using ISE to assign VLAN dynamically based on user login.

I can get the IP part working, but i also need to have the multicast on that specific vlan working.

it seems like even though i am on the specified vlan, the multicast stays on whatever interface is selected in WLAN setting.

 

Is there any way to get the multicast to also be dynamically switched?

 

your help will be appreciated.

1 Accepted Solution

Accepted Solutions

Honestly, I got you that you want to add the services dynamically to right mdns group.
Not sure if you can accomplish that, usually we setup them and do the client dynamic to groups based on authentication.

On ISE, there's nothing more you can do. On WLC, I don't see anything that can do that automatically.
Maybe you can raise a case to TAC or if you're a Cisco partner to PDI Helpdesk or Partner Help Line.

sorry about that.
Maybe someone else on the forum can give you an answer regarding that specific case.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

11 Replies 11

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

You're talking about mdns I guess.

IF so, yes there's a way:

cisco-av-pair=role=test
cisco-av-pair=mDns-profile-name=mdns_profile_tes

 

--> In italic what you need to adapt on your side.

Here also a video that can help you:

http://www.labminutes.com/wl0024_wlc_mdns_profile_policy_1

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, very helpful. and yes I am talking about mDNS.

 

so is there a way to configure this so that i don't have to add the mac address of the devices manually? let say marketing gets a new printer, and i want them to be able to plug it in their vlan and start using it as long as they stay in their vlan?

I used to have a wlan for every vlan, and when any vlan got a new device, they could just plug it in and start using it. but i need to trim that down to only a couple wlans and have ISE do that. 

Is there a way to show the bonjour devices on that vlan and only the devices from that vlan?

The thing is to authorize an unknown device to be connected you should have a rule for that. 

You can't use rules based on profiling group as it seems you gonna have multiple type of devices (printer, airplay devices,...)

 

Now a quick question for you. If we take your example of marketing devices. Are all marketing users connected on the same switch or multiple switch?

Are you allowing every type of devices to be connected on their vlan?

 

I hope you're doing such exception only for marketing guys.

If they're connected to the same switch, you can create a policy-set dedicated for them or a rule by checking the nas ip and have an authorization profile pushed that will put their devices into their vlan. 

 

This means that if they take their devices and connect then on non marketing switch, the device will be denied if not a specific rule to allow them on the network.

 

Is that clear?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, we do have policies in place for the network, once a devices is onboarded, I want to let the users be able to bring airplay speakers, airplay projectors/apple tvs, and printers as they wish.

 

they are all connected to the same switch on vlan groups per department. we allow them to take their projectors to different departments/vlans as they wish. I am allowing them to join any BYOD device they wish.

 

I can push them in their own vlan by user group, and that works, but the Mdns does not change dynamically. I use a authorization profile with Airespace-Interface-Name = marketingnetwork

why wouldn't that include the Mdns? if i create a wlan with that interface, it will show all the bonjour devices. 

 

 

 

Ok sorry but i missed a step here.

 

You were talking to allow users to bring their devices on your previous post.

You're doing byod for their devices, you mean ISE byod process with certificates? But printer can't be enrolled that way.

 

Anyway, for mdns, I gave you radius attributes to be push in your user authorization profile. Have you tested them?

 

They're working because I'm using it on my different customers deployment and the last one was a university.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Do you mean these radius attributes?

cisco-av-pair=role=test
cisco-av-pair=mDns-profile-name=mdns_profile_tes

 

Don't I have to manually add the airplay devices via mac address in the WLC when i use this?

 

when I add Airespace-Interface-Name = marketingnetwork to the authorization profile, the devices in the marketing group will be on the Marketing vlan. everything is in their vlan except for all their bonjour devices. why arent their bonjour devices from their vlan there? 

 

Sorry if I'm asking the same question over. if you already explained it, could you be a bit more clear. seems like you are steps above me.

Ok let's recap because you lost me.

 

You were asking how to push the right mdns and now you're asking how to allow connection of any devices on each user vlans.

 

I'm a bit lost because if you're using ISE is to manage what device can connect to the network. With your request, you would like to allow any type of devices (printers, apple tv, ...) for a user in its vlan. Am I right?

 

If you have specific types of devices, then you can create rules based on profiling policies. on these rules, you can check what NAD is requesting the authentication and then based on that push an authorization profile giving the vlan id.

 

What you can do also (it's not the standard process but a workaround) is leverage mydevice portal.

Let's say, each user from your company can access this portal and add their devices (non corporate).

On ISE endpoint database, for those devices, you have an attribute (Endpoint attribute) called PortalUser. The value of this attribute is the username of the person who added that device. You can create 1 local account per service and each service needs to add this device using that account. Then based on that you can push an authz profile with the right vlan. (tested it myself for a specific use case few months ago).

 

There's an another attribute PortalUser.CreationType which corresponds to user group membership. However it's not available on endpoint dictionary to build a condition rule based on that. You can test by creating it on Endpoint dictionary (You won't be able to create it directly by going on system dictionary.)

You can go to Administration/Identity Management/Settings and then into Endpoint Custom attributes. Create custom attributes using the same name and type string. You can test it (never tested myself). If that works, you can be able to see the group membership and base your authz profile on that attribute (if works no need to have a generic account like said previously).

 

Last option I see: You can create 1 mydevice portal per service. On each portal, you can chose the identity group on which devices added will belongs to and using a different fqdn. Example: 1 device for marketing where fqdn will be marketing.test.com and devices added through it will be placed in a group called Marketing. Then use that group to make your conditions and push the right authz profile. With that solution, any users can authenticate on any portals and they can make mistake. A marketing guy will be able to connect on finance portal let's say. There is a way to block that, not natively but not easy to explain. Short story is to add your own ISE as radius external server. If interested, I can make some screenshot and share with you (using it every time).

 

Except that, there is no other way to know which device belongs to which user if there's no enrolment using BYOD ISE process.

 

Is that clear?

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, first of all, i want to thank you for your time and this has been very helpful with identifying devices and having them on the correct vlan. It cleared up some issues i have been having about allowing any device on each user's vlan.

I will clarify more what I am really having a problem with. I am still asking how to push to the right Mdns.

 

I am able to dynamically push the users in their correct vlan. so that aside...

The problem is, while everything gets pushed to the marketing vlan, the Mdns devices do not! I can only see the Mdns devices that are in the vlan of the interface that is selected in the wlan (see attached screenshot)

 

I have tried your solution with adding this to the authorization profile

cisco-av-pair=role=test
cisco-av-pair=mDns-profile-name=mdns_profile_tes

 

and that works too, but i dont like that I have to log into the wireless controller, find the appleTVs and add them to a profile. I wish the Airespace-Interface-Name = marketing that pushes the devices in the marketing vlan would also push the Mdns devices in the marketing vlan.

 

here is what we have been doing in the past:

 

vlan10 had a wlan10 tied to interface with vlan10 tagging, so all we had to do was be in the same vlan and we were able to see all the computers plus whatever airplay, printers, or appleTVs we joined to wlan10. the problem is we overcrowded the airspace with too many wlans and things went south, plus we need more than the recommended wlan limit. so now we started using ISE with 2 wlans to push all the devices on their specified vlan (via airespace-Interface-name with vlan tagging) based on AD user group. That works well, but the Mdns doesnt get pushed to the specified interface for some reason.

 

Ok gotcha. How did you configured mdns on your interface (the one you're pushing) ?

When the device authenticates, in which mdns group is it attached to? Default?

Never tested that way.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, 

I right now the Mdns profiling or snooping isnt on, as soon as I enable that, I either have to manually add the devices via mac address to a profile and then push that profile, or all the devices are on all the clients on the network. I would like to avoid both cases, i would like the Mdns devices to stay on the specified vlan, just like all the other devices.

 

when a device authenticates to the network, I can get it to be in whatever mdns group i specify, like you showed me, but I do not want to have to do it manually, i simply want it to show the devices that are in that vlan.

could I accomplish that with using dynamic vlan and flexconnect.

Honestly, I got you that you want to add the services dynamically to right mdns group.
Not sure if you can accomplish that, usually we setup them and do the client dynamic to groups based on authentication.

On ISE, there's nothing more you can do. On WLC, I don't see anything that can do that automatically.
Maybe you can raise a case to TAC or if you're a Cisco partner to PDI Helpdesk or Partner Help Line.

sorry about that.
Maybe someone else on the forum can give you an answer regarding that specific case.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question