Have got this working nicely with Microsoft NPS server, RADIUS proxy (using pattern matching) but hit a stumbling block.
Quick overview of solution.
Three different networks each running as VRF on L3 switches, seperate VLANs on L2 switches.
Switches configured for 802.1X against NPS server in the most secure network, this then proxies requests to other lower security networks based on pattern matching of machine name.
This is because we're using Machine based authentication and machines have different naming conventions between networks.
If machine A connects (AAAA1234), pattern matching realises it belongs to Network A based on the 'AAAA' authenticates locally and places in VLAN100.
If machine B connects (BBBB1234), pattern matching realises it belongs to Network B based on the 'BBBB' proxies the authentication to an NPS server in Network B and places in VLAN200.
If machine C connects (CCCC1234), pattern matching realises it belongs to Network C based on the 'CCCC' proxies the authentication to an NPS server in Network C and places in VLAN300.
All works beautifully with one small issue.
In some of our larger sites there is more than one VLAN for each network and not all switches have all the VLAN's to reduce the Spanning-Tree implications/reconvergance times.
So for example in Site X we might have:
3 switches with VLAN100 for Network A, 200 for Netwok B and 300 for Network C
3 switches with VLAN101 for Network A, 201 for Netwok B and 301 for Network C
And so on....
We can't set different VLAN's for different user groups because we don't know which user will connect to which switch (open plan/hotdesking etc) the whole point of the solution is anyone can connect anywhere and automatically be connected to the right network.
Is there a way to set some form of priority such that 802.1X Dynamic VLAN Alllocation will attempt to place the user in VLAN 100 but if this doesn't exist try VLAN 101?
Solved! Go to Solution.
Good point on VLAN name.
Obviously all VLAN's exist on the core switches and have unique names there but as we aren't using VTP then the different VLAN's could have the same name on each on the access/edge switches.
Would need to test it out, but the idea has legs....
I know it would work with free radius, possibly with acs 5.2...but I have no experience with other radius product
Thanks Dominic it worked a treat.
Set RADIUS to do the dynamic VLAN allocation by name.
Set the switches such that the names for VLAN 100/101, 200/201, 300/301 are the same on different switches (obviously different at the core).
Client connects to a switch which has VLAN100/200/300 and gets placed in correct VLAN by name
Client connects to a switch which has VLAN101/201/301 and gets placed in correct VLAN by name
Might be a bit confusing for support peeps but thats not insummountable.