NAC L2 802.1X and vlan assignment

benjaminhill · ‎08-05-2006

I would like to know if I am understanding the vlan assignment in NAC L2 802.1X correctly.

As i understand it, once a client has been assigned a "healthy" posture token, they will be put in the "healthy" vlan. Does this mean that every "healthy" user on the same Layer 2 switch has to be in the same VLAN?

For argument sake, lets I have 3 departmental vlans on my switch (besides the normal NAC vlans: Healthy, Transition, Quarantine etc...)

VLAN 10: Finance

VLAN 20: Engineering

VLAN 30: Admin

Once a client has been posture-validated, assigned a "healthy" token, and pushed into the "Healthy" vlan, can they still be assigned to the correct departmental vlan?

benjaminhill · ‎08-06-2006

It would seem there is a simple solution to this. Just configure ACS not to send av-pair 81 (VLAN ID) if the "healthy" posture token is granted. That way the port remains in the VLAN for which it is statically configured.

I imagine another solution would be to configure per-group "Healthy" RAC's.

jafrazie · ‎08-07-2006

Exactly. The architecture should be comletely flexible in this regard. If you don't need to do VLAN assignment for "healthy machines" (or any others for that matter), don't enable it ;-).

You should be able to do virtually any combination as a matter of configured policy. Here's an example:

No VLAN (just assume what's configured on the port)

VLAN 10: Finance

VLAN 11: Finance-Healthy

VLAN 12: Finance-Quarantine

VLAN 20: Engineering

VLAN 21: Engineering-Healthy

VLAN 22: Engineering-Quarantine

VLAN 30: Admin

VLAN 31: Admin-Healthy

VLAN 32: Admin-Quarantine

VLAN 40: Healthy

VLAN 50: Quarantine

You may NOT want to do VLAN assignment at all (for example) if you plan on the majority of your infrastructure being classified as healthy at least most of this time, and/or that you may not be ready yet to split up subnets by dept. (from the preceeding example).

Hope this helps,

benjaminhill · ‎08-08-2006

Thanks.