10-03-2013 07:49 AM - edited 03-10-2019 08:57 PM
I am planning wired ISE for large university network where authenticated users will be assigned to a default data vlan by default.
There are a few departments across the university that will require thier own vlans, usually in specific locations.
example:
'medical' vlan name is configured on access switches in a medical building, so any users in the medical group will be placed in a medical vlan on successful authentication, so they can access sensitive information.
However, If those users go to other locations, where 'medical' is not configured on the access switches they will get no network access at all.
I would like ISE to offer a 'secondary' option of the 'default data' vlan, so the authenticated user can still access core college resources+www wherever they are, even if they are not able to access specific 'medical' resources.
thanks
10-25-2013 05:22 PM
Define VLANs Based on Enforcement States
Use the following command lines to define the VLAN names, numbers, and SVIs based on known
enforcement states in your network. Create the re
spective VLAN interfaces to
enable routing between
networks. This can be especially helpful to handle
multiple sources of traffic passing over the same
network segments—traffic from both PCs and the IP phone through which the PC is connected to the
network, for example.
Note
The first IP helper goes to the DHCP server and the se
cond IP helper sends a copy of the DHCP request
to the inline posture node for profiling.
vlan <
VLAN_number
>
name ACCESS
!
vlan <
VLAN_number
>
name VOICE
!
interface <
VLAN_number
>
description ACCESS
ip address 10.1.2.3 255.255.255.0
ip helper-address <
DHCP_Server_IP_address
>
ip helper-address <
Cisco_ISE_IP_address
>
!
interface <
VLAN_number
>
description VOICE
ip address 10.2.3.4 255.255.255.0
ip helper-address <
DHCP_Server_IP_address
>
ip helper-address <
Cisco_ISE_IP_address
>
10-26-2013 02:54 AM
Maybe you could use Network Device Groups here?
You create a NDG for 'medical' switches and the use that in your authorization policy.
IF (device=medical) AND (user = AD group XX) THEN (vlan 'medical')
And if they dont mach that one they get a 'normal' on the next line.
IF (any) AND (user = AD group XX) THEN (vlan 'normal')
If you use Policy Sets you can use diffrent policies for diffrent NDGs, might be easier if the policy gets large.
Cheers
10-27-2013 12:07 AM
+5 for michael,
Also if you are using ISE 1.2 you have the ability to run policy sets. In each policy set you can break apart the sets based on location and then use your conditions to map to the authorization profile you want.
Thanks,
Tarik Admani
*Please rate helpful posts*
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: