Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
5
Helpful
3
Replies

'secondary' vlan names in ISE

mamckenn
Level 1
Level 1

‎10-03-2013 07:49 AM - edited ‎03-10-2019 08:57 PM

I am planning wired ISE for large university network where authenticated users will be assigned to a default data vlan by default.

There are a few departments across the university that will require thier own vlans, usually in specific locations.

example:

'medical' vlan name is configured on access switches in a medical building, so any users in the medical group will be placed in a medical vlan on successful authentication, so they can access sensitive information.

However, If those users go to other locations, where 'medical' is not configured on the access switches they will get no network access at all.

I would like ISE to offer a 'secondary' option of the 'default data' vlan, so the authenticated user can still access core college resources+www wherever they are, even if they are not able to access specific 'medical' resources.       

thanks

Labels:
0 Helpful
3 Replies 3

blenka
Level 3
Level 3

‎10-25-2013 05:22 PM

Define VLANs Based on Enforcement States

Use the following command lines to define the VLAN names, numbers, and SVIs based on known

enforcement states in your network. Create the re

spective VLAN interfaces to

enable routing between

networks. This can be especially helpful to handle

multiple sources of traffic passing over the same

network segments—traffic from both PCs and the IP phone through which the PC is connected to the

network, for example.

Note

The first IP helper goes to the DHCP server and the se

cond IP helper sends a copy of the DHCP request

to the inline posture node for profiling.

vlan <

VLAN_number

>

name ACCESS

!

vlan <

VLAN_number

>

name VOICE

!

interface <

VLAN_number

>

description ACCESS

ip address 10.1.2.3 255.255.255.0

ip helper-address <

DHCP_Server_IP_address

>

ip helper-address <

Cisco_ISE_IP_address

>

!

interface <

VLAN_number

>

description VOICE

ip address 10.2.3.4 255.255.255.0

ip helper-address <

DHCP_Server_IP_address

>

ip helper-address <

Cisco_ISE_IP_address

>

0 Helpful

Mikael Gustafsson
Level 5
Level 5

‎10-26-2013 02:54 AM

Maybe you could use Network Device Groups here?

You create a NDG for 'medical' switches and the use that in your authorization policy.

IF (device=medical) AND (user = AD group XX) THEN (vlan 'medical')

And if they dont mach that one they get a 'normal' on the next line.

IF  (any) AND (user = AD group XX) THEN (vlan 'normal')

If you use Policy Sets you can use diffrent policies for diffrent NDGs, might be easier if the policy gets large.

Cheers

Tarik Admani
VIP Alumni
VIP Alumni
In response to Mikael Gustafsson

‎10-27-2013 12:07 AM

+5 for michael,

Also if you are using ISE 1.2 you have the ability to run policy sets. In each policy set you can break apart the sets based on location and then use your conditions to map to the authorization profile you want.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents