NAC User role base vlan

Answered Question
May 24th, 2010

Hi Experts,

I am on NAC implementation project.Regarding Cisco NAC implementation I have some question, I hope for your valuable inputs.

Scenario (regarding dynamic vlans)

We have 4 floors and 4 departments. In design every department has different vlans.

Vlan detail

4 untrusted vlan   and 16 trusted vlans .

For Floor 1

Dept name                                    untrusted                                Trusted VLAN ID     

          

Sales                                               101                                                     201

Marketing                                         101                                                     301

HR                                                  101                                                     401

Admin                                              101                                                     501

For floor 2

Sales                                                   102                                                       202

Marketing                                              102                                                     302

HR                                                       102                                                     402

Admin                                                     102                                                     502

For floor 3

Sales                                                   103                                                       203

Marketing                                              103                                                     303

HR                                                       103                                                     403

Admin                                                 103                                                     503

For Floor 4

Sales                                                   104                                                     204

Marketing                                              104                                                     304

HR                                                       104                                                    404

Admin                                                 104                                                    504

Our requirement is like this

If user is from floor <number>  and from <group name> department vlan is <>

e.g. if user is from floor 2 and from sales department vlan id should be 202

for this requirement I have configured 16 different user roles

e.g. sales role for floor 1

sales role for floor 2

and in every role  I have configured access vlan e.g. for sales role for floor vlan id is 202 likewise for all roles.

And I configured mapping rules

Sales_Floor_ 2        ( ( memberOf contains Sales ) AND ( VLAN ID equals 102 ) )     

Sales_floor_2 role configuration

Role Name   : Sales_floor_2

Role Type  : Normal Login role

Out-of-band user role vlan    (vlanID)     202

Port profile

I have created port profile per floor base and configuration is here

Profile name : Floor_2

Auth VLAN       (VLAN ID)                                 102

Access VLAN                                                    User Role VLAN

and according to this configuration our requirement is fulfilling and all users are getting proper vlan id and ip subnet I don’t have any problem with this.

But I have question that, is this the way of configuration of dynamic vlan? Or NAC has more smart way to configure for this requirement?

And, in this configuration what will happened if domain user has membership of both sales and marketing department.

Thank you

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 6 months ago

Laxman,

That's the only way to do dynamic VLANs with NAC. As for an user being member of more than one group, whichever mapping he matches first, he'll be part of that VLAN as deigned by the mapping rule.

HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
blaxucisco Wed, 05/26/2010 - 23:20

Hi Faisal,

Could you please give me some suggestion regarding this??

Thank you

Correct Answer
Faisal Sehbai Thu, 05/27/2010 - 11:24

Laxman,

That's the only way to do dynamic VLANs with NAC. As for an user being member of more than one group, whichever mapping he matches first, he'll be part of that VLAN as deigned by the mapping rule.

HTH,

Faisal

Actions

This Discussion