Apologies if this is in the wrong location. I work in the public sector and so our user base is pretty big. Currently we use locally significant VLANs per switch cabinet with port-channel uplinks to the Distribution layer. We are thinking about implementing 802.1x with dynamic VLAN assignment with Microsoft NPS Radius server. This seems fairly straight forward for the most part and what I have read.
For those in the know, is dynamic VLAN assignment based on differing AD groups as such we will need to limit our 1,000s of staff in to smaller manageable AD groups up to 250 people (on a slash 24 subnet) ??
Given the mobility era, most people now have Laptops and office moves occur often and sometimes we are unaware they occur.
Is it possible to just query the machine based authentication and somehow magically assign the relevant vlan for that locally significant switch. The only other idea I had would be to have multiple Radius servers, in order to assign the specific VLANs to the relevant switches.....this would not be practical :(
suggestions, ideas, knowledge, solutions....thanks in advance
If all your users belong to the same security group and can therefore be placed in any subnet providing it has consistent access, then don’t worry about VLAN assignment. Just use 802.1x to authenticate the user, if you don’t try pushing a VLAN ID to the switchport the switch will just use whatever is currently configured as the access VLAN, in your case one which is locally significant.
Thanks for the reply, unfortunately, it is not that easy. Each building/floor will have multi-tenants, some will be our internal staff, some will be staff on a different domain (that we control) some will be external staff from other public sectors, that we have dedicated links between and others will be other public sector visitors that we don't have links between, but we will provide "Guest" service with Internet only. (so I guess they won't belong to the same security group)
Given the diverse and "Agile" nature that we have, people moving often and hot desking, I was looking to assign Dynamic VLAN ID, but in a way to also keep switch VLANs locally significant.
Is this possible ??
What you want to achieve is possible with NPS and we have customers using it. If you are doing this for cabled users, the switch will become a radius client within NPS.
In some ways the VLAN's are largely irrelevant to NPS, all it is a response as a radius attribute that the switch will apply to the port. As long as the VLAN you respond with exists on the switch it will be applied and work correctly.
The only caveat of the above is that whatever your NPS server responds with must exist on all switches that a user may connect to to authenticate on the network.
I think the problem you are discovering is that dynamic VLAN assignment isn’t really that dynamic.
What you need to add to the mix is a NAC solution like ACS or preferably ISE.
This would allow you to define rules which would look at an authenticated user, and have additional sub conditions such as which switch the user was being authenticated on.
So you could have something like:
If (user exists and authenticated from domain A) and (switch belongs to group building_A_floor1) then assign VLAN 2
If (user exists and authenticated from domain A) and (switch belongs to group building_A_floor2) then assign VLAN 3
If (user exists and authenticated from domain B) and (switch belongs to group building_A_floor1) then assign VLAN 22
If (user exists and authenticated from domain B) and (switch belongs to group building_A_floor2) then assign VLAN 23
This should give you the fine control you require, however it could become quite onerous to keep the ruleset correct as you scale it up.