Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
2
Replies

ISE Dynamic VLAN assignment

pj0503311
Level 1
Level 1

‎03-01-2016 09:51 AM - edited ‎03-10-2019 11:32 PM

So we're looking to implement dynamic VLAN assignment for user-end host devices and we're a little fuzzy on the details of how to get it going.  We were under the assumption that ISE (PSN) speaks directly to AD to learn information about the host device such as if it's a domain device or even what OU or security group it belonged to. But after going through some documentation that turned up from a google search it would seem this is an incorrect assumption. 

This document:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/sec-ieee-8021x-vlan-assign.html

alludes to it actually being that the PSN seeks information about the host device via a local RADIUS server which in turn queries AD for the desired information. At the moment our RADIUS server simply verifies with AD that the host is in fact a domain client. The doc above says we must add some "vendor-specific tunnel attributes" to the RADIUS server's query in order to have VLAN information returned to the PSN and then passed onto the switchport. 

Does this mean that the PSN does not communicate directly to AD for such information as domain credentials and OU/security group membership during 802.1x authentication? 

Labels:
0 Helpful
2 Replies 2

aman.diwakar
Level 1
Level 1

‎03-02-2016 10:48 AM

no, it does it during the authorization phase using the authorization policy sets

0 Helpful

54545
Level 1
Level 1
In response to aman.diwakar

‎02-22-2018 04:57 AM

Hi Guys ,

 

i have an ISE v2.1   i am try to do  dynamic vlan assignment  , vlan 24  for voice  an vlan 26 for data ,

the traditional way is to add manually the mac address of each device into the appropriate group then use profiling to  map this group to the required vlan.  even with this  i see all the MACs in vlan 24 , dont know what i have done wrong here :

  24    xx.x.x.x.x.x    STATIC      Gi0/9
  24    y.y.y.y.y.yy.y    DYNAMIC     Gi0/9

can you please explain what should be the right way to accomplish this .

also i was told there is an other intelligent way for  dynamic vlan assignment , here you dont need to enter manually the mac addresses but using the specific sensor/protocol the ISE will be will be able to detect  classify the endpoints based on their profiles

thanx in advance

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents