11-29-2015 11:49 PM - edited 03-08-2019 02:53 AM
Hello There,
We are using Cisco 6500 Series Switches as Core L3 switch in our network. We have different VLANs created for different customer based Projects.
Currerntly we are assigning VLAN manually on switchport. So whenever new users joins a perticular project or existing users shifts his location we have to manaully assign the VLAN accordingly.
Our management wants to automate this process. I have someknowledge about Dynamic VLAN assigment using CISCO ISE.
But before I can propose my solution, I need few details from all of you guys.
1. Is dynamic VLAN assignment is widely used in IT industry?
2. Should VLAN assignment be based on UserID or MAC ID? I prefer User based assignment but our infosec team disagrees and they want MAC based authentication? Which type is mostly used in current industry?
Looking for your replies.
Thanks
Amod
11-30-2015 02:18 AM
Hi Amod,
On our campus network using 802.1x o the wired network has always been kept at arms reach by the operations team. I've configured and had success in deploying it to CS department labs where the users are more understand of the technology and know what a supplicant is!
Regarding the second point, I'd be concerned by your infosec team suggesting authentication based (ISE MAB) on an identifier that can be easily spoofed!! userID should be your preferred identifier.
cheers,
Seb.
11-30-2015 03:02 AM
Thanks Seb for the reply.
11-30-2015 08:01 AM
It is common using dot1x and ISE or ACS for VLAN assigment in mobile network such as Wireless, but it has its own drawbacks. It will cause more problem if it is implemented for everyone.
First , you will get involved with a lot of troubleshooting in access network. Each user needs to use username and password for network authentication resulting issue for network administrator. Authentication can be mixed with active directory but still lots of work.
Second, you need to span all VLANs to all switches, because a user can access the network from anywhere. It leads to security concern and also more L2 traffic over the trunk; however, without VLAN assigment, each switch is limited to several numbers of VLANs so traffic of other VLANs are not allowed on the Trunk.
I suggest you limit VLAN assigment to only some groups of users such as managers and only in limited areas.
Hope it helps,
Masoud
11-30-2015 06:58 AM
Hi Amod,
In addition to very nice Seb Rupik's answers, these are my thoughts:
Dynamic VLAN assignment is a nice idea but it does not seem to be widely deployed nowadays. These are the reasons I consider it to be problematic:
Regarding the choice of User ID vs. MAC ID, I personally consider the User ID to be much more preferable, as the MAC address can be spoofed easily. Alternatively, you could consider using a certificate-based authentication. I would assume - though I have never deployed it myself - that the computer operating system can be configured to present the same certificate when logging into network, regardless of the user working on that PC. These certificates would effectively be issued to PCs, not to users. They would thus replace the MAC-based address authentication without the risk of spoofing it so easily.
Best regards,
Peter
11-30-2015 05:31 PM
Hi Amod,
We currently have deployed dynamic vlan assignment (using FreeRadius, but we are currently in early days of investigating ISE where we are having some success) across 90 sites (~25k users) using local vlans per site. Instead of sending the vlan id back, we send the vlan name. Ie. instead of sending 1701, we send "Staff" or "Student". This enables each site to have local vlans, but also for the 802.1x solution to be as generic as possible.
We primarily rely on user auth, but there are some instances where we rely on mac based authentication (mostly printers and other devices that don't support 802.1x authentication) as a fall back method.
It's definitely a workable and good solution to the problems we were facing when we implemented it.
Let me know if you want any more details :)
-J
12-01-2015 02:32 PM
Jamie,
Instead of sending the vlan id back, we send the vlan name. Ie. instead of sending 1701, we send "Staff" or "Student". This enables each site to have local vlans, but also for the 802.1x solution to be as generic as possible.
A very nice idea!
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide