I am on NAC implementation project.Regarding Cisco NAC implementation I have some question, I hope for your valuable inputs.
Scenario (regarding dynamic vlans)
We have 4 floors and 4 departments. In design every department has different vlans.
4 untrusted vlan and 16 trusted vlans .
For Floor 1
Dept name untrusted Trusted VLAN ID
Sales 101 201
Marketing 101 301
HR 101 401
Admin 101 501
For floor 2
Sales 102 202
Marketing 102 302
HR 102 402
Admin 102 502
For floor 3
Sales 103 203
Marketing 103 303
HR 103 403
Admin 103 503
For Floor 4
Sales 104 204
Marketing 104 304
HR 104 404
Admin 104 504
Our requirement is like this
If user is from floor <number> and from <group name> department vlan is <>
e.g. if user is from floor 2 and from sales department vlan id should be 202
for this requirement I have configured 16 different user roles
e.g. sales role for floor 1
sales role for floor 2
and in every role I have configured access vlan e.g. for sales role for floor vlan id is 202 likewise for all roles.
And I configured mapping rules
Sales_Floor_ 2 ( ( memberOf contains Sales ) AND ( VLAN ID equals 102 ) )
Sales_floor_2 role configuration
Role Name : Sales_floor_2
Role Type : Normal Login role
Out-of-band user role vlan (vlanID) 202
I have created port profile per floor base and configuration is here
Profile name : Floor_2
Auth VLAN (VLAN ID) 102
Access VLAN User Role VLAN
and according to this configuration our requirement is fulfilling and all users are getting proper vlan id and ip subnet I don’t have any problem with this.
But I have question that, is this the way of configuration of dynamic vlan? Or NAC has more smart way to configure for this requirement?
And, in this configuration what will happened if domain user has membership of both sales and marketing department.
That's the only way to do dynamic VLANs with NAC. As for an user being member of more than one group, whichever mapping he matches first, he'll be part of that VLAN as deigned by the mapping rule.