Re: Cisco ISE Vlan Assignment

san.atnur · ‎10-07-2013

Hello Friends, I have been researching from quite a long period of time for Vlan Assignment in Local Web Auth, But all the docs in the cisco says that switches dont support vlan assignment in LWA, Is that so ?? Can it be done locally or vlan assignment, they dont support at all ?? Please guide me is there a way or not, Please do discuss, i really want to enhance my knowledge n dig deeper into it.

Regards,

Santosh Atnur

aqjaved · ‎10-09-2013

The concept of central web authentication is opposed to local web authentication, which is the usual web authentication on the switch itself. In that system, upon dot1x/mab failure, the switch will failover to the webauth profile and will redirect client traffic to a web page on the switch.

Central web authentication offers the possibility to have a central device that acts as a web portal (here the ISE). The major difference compared to the usual local web authentication is that it is shifted to Layer 2 along with mac/dot1x authentication. The concept also differs in that the radius server (ISE here) returns special attributes that indicate to the switch that a web redirection must occur. This solution has the advantage to eliminate any delay that was necessary for web authentication to kick. Globally, if the MAC address of the client station is not known by the radius server (but other criteria can also be used), the server returns redirection attributes, and the switch authorizes the station (via MAC authentication bypass [MAB]) but places an access list to redirect the web traffic to the portal. Once the user logs in on the guest portal, it is possible via CoA (Change of Authorization) to bounce the switch port so that a new Layer 2 MAB authentication occurs. The ISE can then remember it was a webauth user and apply Layer 2 attributes (like dynamic VAN assignment) to the user. An ActiveX component can also force the client PC to refresh its IP address.

Please check below which may be helpful for you.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

Link-2: For VLAN Assignment:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_sw_cnfg.pdf

san.atnur · ‎10-09-2013

Dear Aqeel Javed, Thanks for your reply, But my question is in Local Web Auth not in CWA, Is there any way to force for Vlan Assignment ?? As we see in dot1x & mab, can we see the Vlan Assignment in LWA ?? Is there any possible way to do it ??

Regards,

Santosh Atnur

Muhammad Munir · ‎10-10-2013

Hi Santosh

Use the following link to define the VLAN names, numbers, and SVIs based on known

enforcement states in your network. Create the respective VLAN interfaces to enable routing between

networks. This can be especially helpful to handle multiple sources of traffic passing over the same

network segments

For more information, please go through this link at page no 1095:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

san.atnur · ‎10-10-2013

Dear Muhammad Munnir,

Thanks for your reply. My scenario is, When my client gets authenticated using LWA, he for sure gets the IP from the VLAN Pool that has been assigned, But when i do see in the output in my switch i dont see any VLAN Policy assigned to my client, as it would be assigned when a client is authenticated using dot1x/mab. I just have my query that when my client gets authenticated using Local Web Auth, they do get an ip from the pool/vlan thats been assigned, but i dont see the Vlan policy assigned to them in my output displayed on my switch. So please do assist me in it, When i i went through the cisco docs for switch configuration where i found that "Web-based authentication does not support VLAN assignment as a downloadable-host policy". For more details of this, i have posted the link of where i saw this: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swwebauth.html. So is there any possibility to get my VLAN Policy downloaded from ISE as in dot1x/mab.

Regards,

Santosh Atnur

Ajay Dmello · ‎10-12-2013

Hi Santosh,

I too have encountered a similar issue in the clients that we were consulting with, a dynamic VLAN assignment is not possible with ISE Local Web Auth because of which we needed to shift the authentication to Central Web Authentication.

I was using ISE 1.1.2 at the time and I have gone through ISE 1.1.3 and ISE 1.1.4 bug fixes but this issue has not been resolved. After going through the above mentioned link, http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swwebauth.html it says Cisco switches do not support dynamic VLAN assignment with WebAuth, so I guess it would be rectified in upcoming Switch releases.

Just for querying sake,which Switch OS were you deploying/testing with?

I do not think anybody would be able to resolve your query here, you could try to deploy a Central Web Authentication instead.

Yours sincerely,
Ajay D'mello

Yours sincerely, Ajay D'mello

san.atnur · ‎10-22-2013

Hi Ajay,

Thanks for your reply, And good that even you encountered the same error. And i do agree it will be possible in Central Web Auth, Then is there no way i can force vlan assignment in Local Web Auth to see Vlan Policy ???

Regards,

Santosh Atnur.