Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC L2 802.1X and vlan assignment

I would like to know if I am understanding the vlan assignment in NAC L2 802.1X correctly.

As i understand it, once a client has been assigned a "healthy" posture token, they will be put in the "healthy" vlan. Does this mean that every "healthy" user on the same Layer 2 switch has to be in the same VLAN?

For argument sake, lets I have 3 departmental vlans on my switch (besides the normal NAC vlans: Healthy, Transition, Quarantine etc...)

VLAN 10: Finance

VLAN 20: Engineering

VLAN 30: Admin

Once a client has been posture-validated, assigned a "healthy" token, and pushed into the "Healthy" vlan, can they still be assigned to the correct departmental vlan?

3 REPLIES
New Member

Re: NAC L2 802.1X and vlan assignment

It would seem there is a simple solution to this. Just configure ACS not to send av-pair 81 (VLAN ID) if the "healthy" posture token is granted. That way the port remains in the VLAN for which it is statically configured.

I imagine another solution would be to configure per-group "Healthy" RAC's.

Cisco Employee

Re: NAC L2 802.1X and vlan assignment

Exactly. The architecture should be comletely flexible in this regard. If you don't need to do VLAN assignment for "healthy machines" (or any others for that matter), don't enable it ;-).

You should be able to do virtually any combination as a matter of configured policy. Here's an example:

No VLAN (just assume what's configured on the port)

VLAN 10: Finance

VLAN 11: Finance-Healthy

VLAN 12: Finance-Quarantine

VLAN 20: Engineering

VLAN 21: Engineering-Healthy

VLAN 22: Engineering-Quarantine

VLAN 30: Admin

VLAN 31: Admin-Healthy

VLAN 32: Admin-Quarantine

VLAN 40: Healthy

VLAN 50: Quarantine

You may NOT want to do VLAN assignment at all (for example) if you plan on the majority of your infrastructure being classified as healthy at least most of this time, and/or that you may not be ready yet to split up subnets by dept. (from the preceeding example).

Hope this helps,

New Member

Re: NAC L2 802.1X and vlan assignment

Thanks.

111
Views
0
Helpful
3
Replies
CreatePlease login to create content