We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
Anyone have any ideas how I might achieve my goal?
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
Cisco NetFlow data records exported by routers and switches consist of expired traffic flows with detailed traffic statistics useful to monitor bandwidth and network traffic analysis. These flows contain information about source and destination IP addresses along with the protocols and ports used in the end-to-end conversation.
No - I don't mean to handle the off-campus switches as NADs.
The reason I may need to differeniate according to port number is the external switches over which I have no control will, in all probability, be connecting to a single switchport in my network. The users concerned will have different rights depending on whether they are connecting from Halls of Residence which are not owned an operated by the university or whether they are connecting on-campus. It's all to do with how I write my authorization policies.
The good news is that thanks to the information I have received I've figured out what I need to do.
Thanks to all who have helped - sorry I didn't reply to all posts individually but you have all been a great help.
So you're planning cascading switches and make the 802.1X frames from off-campus clients appear on that single switchport? I'm afraid that's not possible as the remote switch would not forward EAPOL frames. Only hubs are suitable for such multi-auth scenarios.
Thanks to all who have answered here - it has given me a lot of useful information. However as we have progressed in our design and testing phase we have moved away from the idea of using multi-auth as a solution. We are now looking at security group tags for all our security requirements.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...