ISE can pull VLAN (Or iPSK) attributes from the user DB such as AD, LDAP, SQL, or internal DB and assign it during authorization. This has many benefits, one of which is that it reduces the number of policy rules when used correctly. Imagine if you want to assign 10 different VLANs for 10 different set of users. In the traditional way, you would create 10 separate rules that reads “If User A, then assign VLAN 10”, “If User B, then assign VLAN 20”… However, with dynamic attribute, you can simply create one rule that reads “If user authenticates, then assign AD attribute as VLAN ID”. AD attributes can be pre-populated with VLAN name or ID and can be dynamically called upon as user authenticates. This video shows how to create users in the AD with such attribute and also show you how to configure ISE policy to use it for VLAN assignment and lastly confirm the operation. I am using WLC as an example, but the same works with Catalyst switches as well.
Note 1: I used ‘Description’ attribute from AD which is not an indexed attribute and works in test environment. However, in a real world environment make sure to use an indexed attribute for fast retrieval of attribute value.
Note 2: The VLANs needs to be created on the the WLC or the switch prior to the VLAN assignment. Also, SVI and DHCP needs to be be configured for the VLAN or else the endpoint will not be able to get an IP address assigned
Note 3: The same can be done for iPSK by extending the endpoint DB. Simply create a new string attribute to store iPSK value and call upon the value during the authorization. Go to 'Administration > Identity Management > Settings > Endpoint Custom Attributes' and create a String type attribute called iPSK. Go to context visibility and for each endpoints populate the iPSK attribute value in the following format 'psk=XXXXX'.
Note 4: To use SGT the attribute should be stored in the format the network device understands which is 'cts:security-group-tag-0008-01' for SGT of value 8.