Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Using ISE to dynamically VLAN change

Hello all,

I need some help to dynamically change VLAN on each port of my Catalyst 3560, to do this, I don't want to use the MAC address filtering but I want to use conditions already in place in my ISE to switch port between two VLAN (Guest and Corporate) where one give access to the corporate LAN and the other to Internet without LAN access.

Maybe someone of you had could have some ideas to do this with the use, or maybe without VLAN?

 

PS : Sorry for my bad English, i'm not a native English speaker ;)

 

Thank you in advance.

  • AAA Identity and NAC
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

 I do not get exactly what

 I do not get exactly what are you looking for.. But still

The  two kind of access you are anticipating can be achived by either way

Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per  users belongs  to (AD )group <e.g. employee or guest..> ..

dACL : You can push downloadable Acl to switch as per user membership to AD.

Let me know if you need help from design or configuration  point of view...

 

 

 

 

 

 

Cisco Employee

You can apply a VLAN change

You can apply a VLAN change at any of your authorization profiles. Just keep in mind that devices without a supplicant (printers, cameras, etc) are not a good candidate as they might not know that you changed their VLAN, thus, they will not request a new IP address. 

With that being said, you can use dACLs to restrict access. You can refer to the following document:http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-41-Guest_Services.pdf

Thank you for rating helpful posts!

 

 

7 REPLIES
Cisco Employee

 I do not get exactly what

 I do not get exactly what are you looking for.. But still

The  two kind of access you are anticipating can be achived by either way

Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per  users belongs  to (AD )group <e.g. employee or guest..> ..

dACL : You can push downloadable Acl to switch as per user membership to AD.

Let me know if you need help from design or configuration  point of view...

 

 

 

 

 

 

New Member

Thanks for your answer, I

Thanks for your answer, I also saw this morning the possibility to use this command : " authentication event fail action authorize vlan <my_guest_VLAN>" but it actually doesn' work. I'm very interrested about dACL but I don't understand how can it make switch either VLAN Corp. or VLAN Guest each port of my 3560. I will see in this direction.

 

Thanks!

Cisco Employee

You can apply a VLAN change

You can apply a VLAN change at any of your authorization profiles. Just keep in mind that devices without a supplicant (printers, cameras, etc) are not a good candidate as they might not know that you changed their VLAN, thus, they will not request a new IP address. 

With that being said, you can use dACLs to restrict access. You can refer to the following document:http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-41-Guest_Services.pdf

Thank you for rating helpful posts!

 

 

New Member

Thanks for your answer.The

Thanks for your answer.

The aim is to "detect" if the device is a corporate device and if is not, it will be automatically put in VLAN Guest. The user can't log in Web Portal or other, it's just the profiling of the device which determine his VLAN assignment.

Silver

Well you can easyly

Well you can easyly accomplish this with ISE and push the DACL based on the user authnetication and since you only want when user is unable to authenticate then he should be given guest vlan and other wise corporate vlan but i would suggest do check cisco ISE guest services feature its exaclty what you want to deply and more.

 Do check cisco how to guides to exact step by step configuration.

 

Silver

Well you can easyly

 

 

Silver

Well you can easyly

 

 

441
Views
5
Helpful
7
Replies
This widget could not be displayed.