Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE Vlan Assignment

Hello Friends, I have been researching from quite a long period of time for Vlan Assignment in Local Web Auth, But all the docs in the cisco says that switches dont support vlan assignment in LWA, Is that so ?? Can it be done locally or vlan assignment, they dont support at all ?? Please guide me is there a way or not, Please do discuss, i really want to enhance my knowledge n dig deeper into it. 

Regards,

Santosh Atnur

Everyone's tags (5)
6 REPLIES
Bronze

Cisco ISE Vlan Assignment

The concept of central web authentication is opposed to local  web authentication, which is the usual web authentication on the switch  itself. In that system, upon dot1x/mab failure, the switch will failover  to the webauth profile and will redirect client traffic to a web page  on the switch.

Central web authentication offers the possibility to have a  central device that acts as a web portal (here the ISE). The major  difference compared to the usual local web authentication is that it is  shifted to Layer 2 along with mac/dot1x authentication. The concept also  differs in that the radius server (ISE here) returns special attributes  that indicate to the switch that a web redirection must occur. This  solution has the advantage to eliminate any delay that was necessary for  web authentication to kick. Globally, if the MAC address of the client  station is not known by the radius server (but other criteria can also  be used), the server returns redirection attributes, and the switch  authorizes the station (via MAC authentication bypass [MAB]) but places  an access list to redirect the web traffic to the portal. Once the user  logs in on the guest portal, it is possible via CoA (Change of  Authorization) to bounce the switch port so that a new Layer 2 MAB  authentication occurs. The ISE can then remember it was a webauth user  and apply Layer 2 attributes (like dynamic VAN assignment) to the user.  An ActiveX component can also force the client PC to refresh its IP  address.

Please check below which may be helpful for you.

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

Link-2: For VLAN Assignment:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_sw_cnfg.pdf

New Member

Cisco ISE Vlan Assignment

Dear Aqeel Javed, Thanks for your reply, But my question is in Local Web Auth not in CWA, Is there any way to force for Vlan Assignment ?? As we see in dot1x & mab, can we see the Vlan Assignment in LWA ?? Is there any possible way to do it ??

Regards,

Santosh Atnur

Cisco Employee

Cisco ISE Vlan Assignment

Hi Santosh

Use the following link to define the VLAN names, numbers, and SVIs based on known

enforcement states in your network. Create the respective VLAN interfaces to enable routing between

networks. This can be especially helpful to handle multiple sources of traffic passing over the same

network segments

For more information, please go through this link at page no 1095:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

New Member

Re: Cisco ISE Vlan Assignment

Dear Muhammad Munnir,

Thanks for your reply. My scenario is, When my client gets authenticated using LWA, he for sure gets the IP from the VLAN Pool that has been assigned, But when i do see in the output in my switch i dont see any VLAN Policy assigned to my client, as it would be assigned when a client is authenticated using dot1x/mab. I just have my query that when my client gets authenticated using Local Web Auth, they do get an ip from the pool/vlan thats been assigned, but i dont see the Vlan policy assigned to them in my output displayed on my switch. So please do assist me in it, When i i went through the cisco docs for switch configuration where i found that "Web-based authentication does not support VLAN assignment as a downloadable-host policy". For more details of this, i have posted the link of where i saw this: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swwebauth.html. So is there any possibility to get my VLAN Policy downloaded from ISE as in dot1x/mab.

Regards,

Santosh Atnur

New Member

Cisco ISE Vlan Assignment

Hi Santosh,

I too have encountered a similar issue in the clients  that we were consulting with, a dynamic VLAN assignment is not possible  with ISE Local Web Auth because of which we needed to shift the  authentication to Central Web Authentication.

I was  using ISE 1.1.2 at the time and I have gone through ISE 1.1.3 and ISE  1.1.4 bug fixes but this issue has not been resolved. After going  through the above mentioned link, http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swwebauth.html it says Cisco switches do not support dynamic VLAN assignment with  WebAuth, so I guess it would  be rectified in upcoming Switch releases.

Just for querying sake,which Switch OS were you deploying/testing with?

I do not think anybody would be able to resolve your query here, you could try to deploy a Central Web Authentication instead.

Yours sincerely,
Ajay D'mello

Yours sincerely, Ajay D'mello
New Member

Cisco ISE Vlan Assignment

Hi Ajay,

Thanks for your reply, And good that even you encountered the same error. And i do agree it will be possible in Central Web Auth, Then is there no way i can force vlan assignment in Local Web Auth to see Vlan Policy ???

Regards,

Santosh Atnur.

8272
Views
0
Helpful
6
Replies
CreatePlease to create content