Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
0
Helpful
6
Replies

ISE vlan merge

JianfengWang5009
Level 1
Level 1

‎02-02-2023 10:58 AM

Our ISE server return VLAN names for various user vlans as based on user identity. Some of them doesn’t apply to certain area. On those switches, there is no corresponding vlan. We want a certain vlan host all users in such area. Say HR user log in to a switch in branch, the HR vlan doesn’t exist. I want switch put user in employees instead. How can I put a vlan with 2 name or merge 2 vlans?

 

Labels:
0 Helpful
6 Replies 6

ahollifield
VIP
VIP

‎02-03-2023 05:59 AM

Why change VLANs at all?  What is the use-case?  I don't think what you are describing is possible.  If you must change VLANs, then I would put the NADs that do not have the HR VLAN into a separate NAD group and make policies accordingly so ISE doesn't push the HR VLAN to those switches.

0 Helpful

Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-03-2023 06:37 AM

hi @JianfengWang5009 , ISE is not capable of creating/merge vlans within a switch , the ISE is capable only to assign vlans with base on your authentications. 

0 Helpful

Aref Alsouqi
VIP
VIP

‎02-03-2023 06:56 AM

I agree with @ahollifield , I don't believe what you are trying to achieve is possible. End of the day, ISE just returns attributes via RADIUS, it doesn't really dictate anything on the switches in this case. One thing you can potentially do which is quite common is to configure a parking VLAN on all the switches, and then on ISE you associate that parking VLAN to the default authorization rule. By doing so if the user/machine does not match any of the specific authorization rules, they will hit the default rule and will be placed into the parking VLAN.

0 Helpful

JianfengWang5009
Level 1
Level 1
In response to Aref Alsouqi

‎02-07-2023 06:49 AM

I think this is not ISE issue but how switch handles ISE reply. The user is authenticated successful with a policy match. It is just for some location, this VLAN assignment is not proper. If we don't have the VLAN name, the switch ends up with failed authorize. So, We'd like to use a working VLAN to give it a second name.
0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-04-2023 07:09 PM

@JianfengWang5009 I agree with all responded.

Perhaps, you may use VLAN groups but you need to configure them on the switches. For example, on a switch, configure the following:

vlan 10
 name Employees

vlan group HR vlan-list 10
vlan group Marketing vlan-list 10

 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-07-2023 12:16 PM

@JianfengWang5009 As shown above, VLAN groups should help and most of Cisco catalyst switches will take the VLAN assignment from ISE and apply it as a VLAN group or a VLAN. Check out this blog -- 802.1x VLAN User Distribution (VLAN Group) -- the CCIE journey 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents