Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ise and authorization vlans

ineed to know for sure  (and with detailed official documentation links or experience if possible)

if ISE for CoA accepts vlan names rather than vlan id numbers (multiple vtp domains: we have multiple vlan id numbers under the same consistant naming)

thank you in advance for your response

Everyone's tags (3)
3 REPLIES

Re: Ise and authorization vlans

Guiliano,

The ise COA feature doesnt assign vlans, its entire purpose is to re-authorize the user or to bouce the port. When the COA is configured in ISE it is done globally, and the values are: none, reauth, and port bounce (http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html#wp1555531), however in your authorization policies most of the devices do support either vlan names or vlan ids in order for dynamic vlan assignment found in this configuration guide here (http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html#wp1066886)

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: Ise and authorization vlans

thank you for your explanation

but what I wanted to know is:

in the auth profiles I can assign a vlan dynamically by its VLAN ID and this is ok,

If i have a scenario in wich there are multiple vtp domains so that a VLAN named XXX is present everywhere but with different Vlan IDs (VLAN XXX = Vlan 13 for site 1  and  vlan 60 for site 2) will I be able to tell ISE to associate that vlan by its globally consistent naming to an authorization profile? ( identifying multiple vlan IDs under an unique Name?)

Re: Ise and authorization vlans

Not a problem, in the link that I posted at the end that is covered. Here is the comments that I was referring to:

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated user.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
2946
Views
0
Helpful
3
Replies