Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
2
Helpful
9
Replies

Configure 802.1X and Dynamic VLAN in Cisco 9300 Switches

cooperrocks78
Level 1
Level 1

‎07-18-2023 08:28 AM

We currently have Cisco 9300 switches and the devices connect via 802.1X authentication.  How can I configure Cisco switches where users can connect their laptops and it will put them in the correct VLAN automatically with 802.1X authentication.  I did some research online and the only option is VMPS but it is not compatible with Cisco 9300 switches.  Is there any other options or is there a separate device we can purchase?  Thank you.  

Labels:
0 Helpful
9 Replies 9

SDhaliwal
Level 1
Level 1

‎07-18-2023 08:48 AM - edited ‎07-18-2023 08:50 AM

You could use Cisco ISE authorization profile feature to dynamically assign vlans as host or user authenticate. 

0 Helpful

MHM Cisco World
VIP
VIP

‎07-18-2023 08:57 AM

do you have AAA server ? 

0 Helpful

cooperrocks78
Level 1
Level 1

‎07-18-2023 09:25 AM

Yes, we have a RADIUS server for AAA.  

cooperrocks78
Level 1
Level 1

‎07-19-2023 10:37 AM

What would be the difference in configuration on the Cisco side to allow users to connect on any port and it will put them in the correct VLAN?  On the NPC side, I am assuming to add each VLAN to a separate network policy and point to an AD group.  This is what my current 802.1x config looks like:

description ***USER/DATA 8021x***
switchport access vlan 10
switchport mode access
switchport voice vlan 60
authentication control-direction in
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
spanning-tree portfast

0 Helpful

MHM Cisco World
VIP
VIP
In response to cooperrocks78

‎07-19-2023 10:40 AM

not all PC connect to port will get same VLAN, but each PC can get differ VLAN ?

0 Helpful

cooperrocks78
Level 1
Level 1

‎07-19-2023 11:08 AM

correct, how would we accomplish this with RADIUS on a NPS server?  What would the config look like?

MHM Cisco World
VIP
VIP
In response to cooperrocks78

‎07-19-2023 11:17 AM

Will check and update you max tomorrow 

0 Helpful

Jonatan Jonasson
Level 4
Level 4
In response to cooperrocks78

‎07-21-2023 03:41 PM

The port configuration remains the same, but the global configuration needs to have the "aaa authorization network <...>" command included.

If the RADIUS server sends in the Access-Accept response the name or id of the vlan (as cisco-avpair attributes), the device will be put into the referenced vlan.
If the RADIUS server doesn't send this in the response packet, the device will be put into whatever is default configured on the port.

There's some decent information in Cisco's guides regarding this, for example this one, with the radius attributes required mentioned there as well.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3650/sec-user-8021x-xe-3se-3650-book/sec-ieee-8021x-vlan-assign.html

I've seen a few blogs describing this for NPS as well, but I don't have any links at hand right now.

Now, depending on how big your environment is, and if you're starting to go into advanced 802.1x config like dynamic vlan assignment, I highly recommend looking into Cisco ISE as a part of the 802.1x deployment.
If nothing else, troubleshooting 802.1x authentications in ISE is a lot easier that doing so in NPS.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card