Solved: I do not get exactly what

KevinMuller · ‎03-10-2014

Hello all,

I need some help to dynamically change VLAN on each port of my Catalyst 3560, to do this, I don't want to use the MAC address filtering but I want to use conditions already in place in my ISE to switch port between two VLAN (Guest and Corporate) where one give access to the corporate LAN and the other to Internet without LAN access.

Maybe someone of you had could have some ideas to do this with the use, or maybe without VLAN?

PS : Sorry for my bad English, i'm not a native English speaker ;)

Thank you in advance.

Parag Mahajan · ‎03-10-2014

I do not get exactly what are you looking for.. But still

The two kind of access you are anticipating can be achived by either way

Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per users belongs to (AD )group <e.g. employee or guest..> ..

dACL : You can push downloadable Acl to switch as per user membership to AD.

Let me know if you need help from design or configuration point of view...

View solution in original post

nspasov · ‎03-10-2014

You can apply a VLAN change at any of your authorization profiles. Just keep in mind that devices without a supplicant (printers, cameras, etc) are not a good candidate as they might not know that you changed their VLAN, thus, they will not request a new IP address.

With that being said, you can use dACLs to restrict access. You can refer to the following document:http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-41-Guest_Services.pdf

Thank you for rating helpful posts!

View solution in original post

Parag Mahajan · ‎03-10-2014

I do not get exactly what are you looking for.. But still

The two kind of access you are anticipating can be achived by either way

Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per users belongs to (AD )group <e.g. employee or guest..> ..

dACL : You can push downloadable Acl to switch as per user membership to AD.

Let me know if you need help from design or configuration point of view...

KevinMuller · ‎03-11-2014

Thanks for your answer, I also saw this morning the possibility to use this command : " authentication event fail action authorize vlan <my_guest_VLAN>" but it actually doesn' work. I'm very interrested about dACL but I don't understand how can it make switch either VLAN Corp. or VLAN Guest each port of my 3560. I will see in this direction.

Thanks!

nspasov · ‎03-10-2014

You can apply a VLAN change at any of your authorization profiles. Just keep in mind that devices without a supplicant (printers, cameras, etc) are not a good candidate as they might not know that you changed their VLAN, thus, they will not request a new IP address.

With that being said, you can use dACLs to restrict access. You can refer to the following document:http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-41-Guest_Services.pdf

Thank you for rating helpful posts!

KevinMuller · ‎03-11-2014

Thanks for your answer.

The aim is to "detect" if the device is a corporate device and if is not, it will be automatically put in VLAN Guest. The user can't log in Web Portal or other, it's just the profiling of the device which determine his VLAN assignment.

kaaftab · ‎03-11-2014

Well you can easyly accomplish this with ISE and push the DACL based on the user authnetication and since you only want when user is unable to authenticate then he should be given guest vlan and other wise corporate vlan but i would suggest do check cisco ISE guest services feature its exaclty what you want to deply and more.

Do check cisco how to guides to exact step by step configuration.

kaaftab · ‎03-11-2014

kaaftab · ‎03-11-2014

Using ISE to dynamically VLAN change