Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

'secondary' vlan names in ISE

I am planning wired ISE for large university network where authenticated users will be assigned to a default data vlan by default.

There are a few departments across the university that will require thier own vlans, usually in specific locations.

example:

'medical' vlan name is configured on access switches in a medical building, so any users in the medical group will be placed in a medical vlan on successful authentication, so they can access sensitive information.

However, If those users go to other locations, where 'medical' is not configured on the access switches they will get no network access at all.

I would like ISE to offer a 'secondary' option of the 'default data' vlan, so the authenticated user can still access core college resources+www wherever they are, even if they are not able to access specific 'medical' resources.       

thanks

3 REPLIES
New Member

'secondary' vlan names in ISE

Define VLANs Based on Enforcement States

Use the following command lines to define the VLAN names, numbers, and SVIs based on known

enforcement states in your network. Create the re

spective VLAN interfaces to

enable routing between

networks. This can be especially helpful to handle

multiple sources of traffic passing over the same

network segments—traffic from both PCs and the IP phone through which the PC is connected to the

network, for example.

Note

The first IP helper goes to the DHCP server and the se

cond IP helper sends a copy of the DHCP request

to the inline posture node for profiling.

vlan <

VLAN_number

>

name ACCESS

!

vlan <

VLAN_number

>

name VOICE

!

interface <

VLAN_number

>

description ACCESS

ip address 10.1.2.3 255.255.255.0

ip helper-address <

DHCP_Server_IP_address

>

ip helper-address <

Cisco_ISE_IP_address

>

!

interface <

VLAN_number

>

description VOICE

ip address 10.2.3.4 255.255.255.0

ip helper-address <

DHCP_Server_IP_address

>

ip helper-address <

Cisco_ISE_IP_address

>

New Member

Re: 'secondary' vlan names in ISE

Maybe you could use Network Device Groups here?

You create a NDG for 'medical' switches and the use that in your authorization policy.

IF (device=medical) AND (user = AD group XX) THEN (vlan 'medical')

And if they dont mach that one they get a 'normal' on the next line.

IF  (any) AND (user = AD group XX) THEN (vlan 'normal')

If you use Policy Sets you can use diffrent policies for diffrent NDGs, might be easier if the policy gets large.

Cheers

'secondary' vlan names in ISE

+5 for michael,

Also if you are using ISE 1.2 you have the ability to run policy sets. In each policy set you can break apart the sets based on location and then use your conditions to map to the authorization profile you want.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
346
Views
5
Helpful
3
Replies