I am working on a L3 OOB Real IP NAC deployment for a customer and have come across a design issue I need to work around. The customer has 8 4510 chassis' in their headquarters. I am using VRFs to tunnel the unauthenticated/temporary VLAN traffic into the Untrusted side of the CAS. Each chassis is completely full with 48 port copper ethernet blades. Every port on each blade has its own distinct VLAN for users (ex. Blade 1 = VLAN 1201, Blade 2 = BLAN 1202, etc...).
We are looking at having 4 roles in NAC. Internal, Restricted Partner (a role for each partner/vendor), Unrestricted Partner, Guest
Internal users would be placed on a VLAN that has no network restrictions. We need to use the existing VLANs design (1 VLAN per blade) to assign to the users.
A Restricted Partner/Vendor would need to be placed on a VLAN that is defined in the role. The VLAN on the 4500 would have access-lists limiting them to where they can go after they are authenticated and successfully posture assessed.
An Unrestricted partner would be a mixture of Internal and Restricted Partner/Vendor. There would be no network restrictions, but the user would be placed on a specific VLAN in the role.
The implementation of Guest hasn't been fully explored yet.
So....my dilemma is this. I can't use Role Based VLAN assignment for Internal because Internal users could be on any 120x VLAN. I don't believe using VLAN Names with wildcards would help either. This forces me to use port profiles that use Initial Port. I need to use role based VLAN assignment for the other roles BUT port profiles can only be setup to do role based or Initial port. There will not be designated areas for non-Internal users to plug in where I could just identify the ports in question and set to them to be Role based.
I have no idea how to get around this short of telling the customer we need to move away from 1 VLAN per blade so that role based can be used for all port profiles.