dynamic vlan assignment ise

integrating IT

ISE Dynamic VLAN assignment

Dynamic VLAN assignment by a RADIUS server (e.g. Cisco ISE) can be useful when you want to assign a specific VLAN to a user or group of users. In order to achieve this the VLANS configured on the switches must be configured with a name, this name must be consistent across multiple switches. However the VLAN number does not necessarily need to be the same across the switches.The scenario in this blog post will simply define 2 VLANS (ADMIN and USERS), members of the AD group Domain Admins will be assigned to a VLAN called ADMIN and members of the AD group Domain Users will be assigned to a VLAN called USERS.

The configuration of ISE in this post only describes the steps in order to configure Dynamic VLAN assignment. Refer to this previous post on how to configure Cisco ISE for 802.1x authentication.

Switch Configuration

Configure the name on the VLANS. These names must match the name specified in the Authorisation Profile on ISE.

ISE Configuration

Authorisation profiles.

• Navigate to Policy > Policy Elements > Results > Authorisation > Authorisation Profiles
• Create a new Authorisation Profile and name appropriately e.g VLAN_ADMIN
• Under the Common Tasks section, tick VLAN
• Enter the ID/Name of the Admin VLAN as ADMIN

• Repeat the task and create another Authorisation Profile for the Standard Users e.g VLAN_USERS
• Enter the correct ID/Name as USERS

Authorisation Policy

• Navigate to Policy > Policy Set
• Modify an existing Policy Set used for 802.1x
• Ensure there are different Authorization Policy rules, for Admin Users and another for Standard Users
• Assign the VLAN_ADMIN Authorisation Profile to the Admin rule Profiles
• Assign the VLAN_USERS Authorisation Profile to the Standard Users rule Profiles
• Save the policy

Verification

Before logging in as a user, confirm the configuration of the interface the test computer is plugged into. Notice the VLAN is set to VLAN 10.

• Running the command show authentication sessions interface fastethernet 0/3 confirm the computer has a valid IP address in VLAN 10. Notice under Vlan Policy N/A, this means this interface was not dynamically assigned a VLAN.    

Login as a user that is a member of the AD group Domain Users.

• Run the command show authentication sessions interface fastethernet 0/3
• Compare the output this time with above. Notice the computer now has an IP address from the VLAN 11 DHCP Pool and Vlan Policy = 11, this confirms the computer has dynamically been assigned to VLAN 11.

• Run the command debug radius whilst the users is logging on
• You can confirm the VLAN name being returned by successful authorisation by the RADIUS server by the presence of Tunnel-Private-Group .

Logoff and log back in as a user in the Domain Admins AD group.

• Compare the output this time with above. Notice the computer now has an IP address from the VLAN 12 DHCP Pool and Vlan Policy = 12

• Running the command debug radius confirms the correct VLAN name ADMIN was sent by the RADIUS server.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)

Published by integratingit

View all posts by integratingit

3 thoughts on “ ISE Dynamic VLAN assignment ”

• Pingback: Initial Cisco ISE Configuration – integrating IT

Hi it is cool . What happend if some device has IP fix

If the device has a static IP address and is moved to a different VLAN, the user will not be able to communicate. It will only work if using DHCP.

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

The Cisco Learning Network

Vasco F Costa asked a question.

Scrambled a file with the configs that I use to have dynamic vlan assigned by my radius server (ISE).

(apologies for such a raw presentation)

• Show more actions
• Enterprise Certifications Community

Vasco F Costa

Just concluded the dynamic vlan authentication with flexconnect.

In the ISE, the config is the same as demonstrated in the pptx file.

I didn't use my ipv6 only network because their not supported in local switch mode:

Cisco Wireless LAN Controller IPv6 Deployment Guide, CUWN Release 8.0 - Cisco

IPV6 and IPv4 are supported on the Flex Connect APs in the Centrally switched mode only. In the Locally switched mode, IPv4 clients work as before with no issues.

wired infrastructure:

For my flexconnect site, I have a l3 switch directly connected to my OSPF area 0.

FLEXRemoto#sh ip route

O E2 192.168.29.0/24 [110/20] via 10.1.1.1, 00:31:00, Vlan1

C    192.168.183.0/24 is directly connected, Vlan803 

C    192.168.182.0/24 is directly connected, Vlan802

C    192.168.181.0/24 is directly connected, Vlan801

C    192.168.180.0/24 is directly connected, Vlan800

O E2 192.168.111.0/24 [110/20] via 10.1.1.1, 00:31:00, Vlan1

O E2 192.168.201.0/24 [110/20] via 10.1.1.2, 01:31:36, Vlan1

O E2 192.168.202.0/24 [110/20] via 10.1.1.1, 00:31:00, Vlan1

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Vlan1

O E2 192.168.112.0/24 [110/20] via 10.1.1.1, 01:31:36, Vlan1

O E2 192.168.220.0/24 [110/20] via 10.1.1.2, 01:31:36, Vlan1

O E2 192.168.101.0/24 [110/20] via 10.1.1.1, 01:31:36, Vlan1

S*   0.0.0.0/0 [1/0] via 10.1.1.1

O E2 192.168.180.0/23 [110/20] via 10.1.1.1, 00:31:00, Vlan1

switch port where the AP is connected is in trunk mode:

interface FastEthernet0/2

description ->AP Flex

switchport trunk encapsulation dot1q

switchport trunk native vlan 800

switchport mode trunk

spanning-tree portfast

wlan config

- created an wlan "flexdot1x" and assigned to the management interface of the WLC

- for security; it's the same dot1x authentication as I demonstrate in the pptx file.

- advanced tab; clicked on "Allow AAA override"; "Flexconnect Local Switching" and "VLAN based central switching"

- set operation mode as "flexconnect"

- in the "flexconnect" tab; clicked "vlan support" and set native vlan to 800

Flexconnect Group

- created a group

- added the AP to that group

- "ACL mapping" tab -> "AAA VLAN-ACL mapping". Add the same dot1x authenticated vlans (601; 630 and 640). both ingress and egress acl fields were left as "none"

- WLAN VLAN mapping tab; assigned the flexdot1x ssid to vlan 802

Related Questions

Trending articles.

• Cisco Packet Tracer: Software de Simulación para Redes
• 200-301 CCNA Study Materials
• Packet Tracer Labs
• CCIE/CCDE: Book your Lab/Practical Exam
• Continuing Education Credits Automation

If you encounter a technical issue on the site, please open a support case .

Communities: Chinese | Japanese | Korean

Cisco.com © Copyright 2024 Cisco, Inc. All Rights Reserved. Privacy Statement Terms & Conditions Cookie Policy Trademarks

Technology and life with Eyvonne Sharp

Configuring Cisco FlexConnect AP to Support Dynamic VLAN Assignment with ISE

August 17, 2013 By Eyvonne 4 Comments

I am in the middle of an ISE proof of concept and have been running the product through its paces. Since nearly all of my access points are in FlexConnect mode (formerly known as H-REAP), they require additional configuration to allow dynamic VLAN assignment with ISE. FlexConnect supports local switching which allows you to map a local VLAN ID from the AP’s switch to an SSID instead of tunneling all traffic back to the Wireless LAN Controller to be switched centrally.

In order to dynamically assign a VLAN ID with an ISE authorization profile, the VLAN must exist on the access point. FlexConnect Groups accomplish this task.

From the Wireless menu, select FlexConnect Groups and click the New button. Once you create the group, click the group name to open the edit menu (seen below). On the General tab, add the access points to the FlexConnect group. To add the VLAN ID, select the ACL Mapping tab and then the “AAA VLAN-ACL mapping” tab. Enter the VLAN ID and select the ingress and egress ACLs. In my case, I selected “none”. Click Add and then Apply.

Your VLAN ID’s have been added to your access point and can be assigned with an ISE authorization policy.

For more information see Cisco documentation

Share this:

February 10, 2014 at 9:41 am

Just what I was looking for! Thanks!

November 12, 2014 at 11:07 am

Man, I was looking for this and had problems achieving it, thank you so much. Now I have clients in the correct Vlans

November 1, 2018 at 11:36 am

Thanks a lot for sharing this information.

March 6, 2023 at 6:47 am

It works for me for WLC 5520 v8.5.135.0 but it is not working on 8.10.130.0

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

• Community Home
• Topic Thread

Wired Intelligent Edge

• Discussion 39.2K
• Members 1.9K

Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

1.  dynamic vlan assignment /dacl's with cisco ise and arubaos-switch.

Hi Created,

This guide below is how to set up DACL's and how to dynamically assign a vlan to a device connecting to the network.

Attachment(s)

New Best Answer

• Environmental Citizenship
• Support Services
• Contact Support
• Training & Certification
• Software Downloads
• Licensing Login
• Find a Partner
• Become a Partner
• Partner Ready for Networking
• Technology Partner Programs
• Privacy policy
• Terms of service

© Copyright 2024 Hewlett Packard Enterprise Development LP All Rights Reserved.

• Support Forum
• Customer Service
• FortiClient
• FortiAnalyzer
• FortiAuthenticator
• FortiBridge
• FortiCarrier
• FortiConnect
• FortiConverter
• FortiDeceptor
• FortiDevSec
• FortiDirector
• FortiExtender
• FortiGate Cloud
• FortiHypervisor
• FortiInsight
• FortiIsolator
• FortiManager
• FortiMonitor
• FortiNDR (on-premise)
• FortiNDRCloud
• FortiPortal
• FortiRecorder
• FortiSandbox
• FortiSwitch
• FortiTester
• Wireless Controller
• RMA Information and Announcements
• FortiCloud Products
• 4D Documents
• Engage Services
• The EPSP Platform
• The ETSP Platform
• Discussions
• Technical Learning
• Knowledge Base
• Idea Exchange
• Announcements
• Fortinet Community
• Re: Dynamic vlan assignment with Cisco ISE
• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

Created on ‎10-16-2023 04:04 PM

• Mark as New
• Report Inappropriate Content

Dynamic vlan assignment with Cisco ISE

• All forum topics
• Previous Topic

Created on ‎10-17-2023 12:54 AM

Created on ‎10-17-2023 05:11 PM

Created on ‎10-18-2023 12:48 AM

Created on ‎10-24-2023 01:10 PM Edited on ‎10-24-2023 01:10 PM

• Which Firewall of Fortigate help me... 170 Views
• Port-Based 802.1x Security Policy and IP... 722 Views
• ipsec problem 1194 Views
• 802.1x dynamic vlan assignment in fortilink 290 Views
• FortiAP Dynamic vlan not working with... 680 Views
• Alphabetical
• FortiGate 6,503
• FortiClient 1,299
• FortiManager 563
• FortiAnalyzer 413
• FortiAP 333
• FortiSwitch 332
• FortiClient EMS 261
• FortiMail 239
• FortiAuthenticator v5.5 234
• FortiWeb 149
• FortiNAC 106
• FortiGuard 102
• FortiGateCloud 87
• FortiSIEM 86
• FortiCloud Products 82
• FortiToken 69
• Customer Service 69
• Wireless Controller 58
• FortiProxy 44
• FortiADC 42
• Fortivoice 41
• FortiEDR 39
• FortiGate v5.4 34
• FortiDNS 34
• FortiExtender 31
• FortiSandbox 31
• FortiSwitch v6.4 28
• FortiConnect 23
• FortiWAN 22
• Firewall policy 22
• FortiConverter 21
• High Availability 20
• FortiPortal 18
• FortiSwitch v6.2 16
• FortiGate v5.2 16
• FortiMonitor 14
• Certificate 14
• FortiDDoS 13
• FortiCASB 12
• Interface 11
• FortiGate v5.0 10
• FortiAuthenticator 10
• FortiRecorder 10
• FortiWeb v5.0 9
• FortiManager v5.0 9
• Virtual IP 9
• Traffic shaping 8
• RMA Information and Announcements 7
• FortiSOAR 7
• fortilink 7
• FortiAnalyzer v5.0 7
• FortiGate v4.0 MR3 7
• SSL SSH inspection 6
• Authentication 6
• Fortigate Cloud 6
• IP address management - IPAM 6
• Security profile 5
• Traffic shaping policy 5
• FortiBridge 5
• Application control 5
• FortiManager v4.0 5
• Static route 5
• FortiDirector 4
• WAN optimization 4
• Web application firewall profile 4
• DNS Filter 4
• FortiTester 4
• FortiCarrier 4
• FortiCache 4
• FortiScan 4
• Proxy policy 4
• IPS signature 3
• packet capture 3
• FortiToken Cloud 3
• FortiAP profile 3
• Intrusion prevention 3
• Automation 3
• DoS policy 3
• Port policy 3
• FortiDeceptor 2
• FortiInsight 2
• NAC policy 2
• VoIP profile 2
• Antivirus profile 2
• Web profile 2
• Traffic shaping profile 2
• FortiHypervisor 2
• Fortinet Engage Partner Program 2
• SDN connector 1
• Subscription Renewal Policy 1
• Web rating 1
• Application signature 1
• Multicast routing 1
• Authentication rule and scheme 1
• FortiManager-VM 1
• Internet Service Database 1
• System settings 1
• Explicit proxy 1

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

• Threat Research
• FortiGuard Labs
• Threat Briefs
• Getting Started Resources
• Security Fabric
• Certifications
• Industry Awards
• Social Responsibility
• News Releases
• News Articles

Copyright 2024 Fortinet, Inc. All Rights Reserved.

• Terms of Service
• Privacy Policy
• Cookie Settings

Dynamic VLAN Assignment: Wireless

Dynamic VLAN Assignment

Objective: To dynamically Assign Wireless User to VLAN based on user credentials. This type of setup is called “Dynamic VLAN Assignment”

Description:  Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco Secure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

Related- Cisco ACS vs ISE Comparison

Therefore, when a client attempts to associate to a LAP registered with a controller, the LAP passes the credentials of the user to the RADIUS server for validation. Once the authentication is successful, the RADIUS server passes certain Internet Engineering Task Force (IETF) attributes to the user. These RADIUS attributes decide the VLAN ID that should be assigned to the wireless client. The SSID ( WLAN , in terms of WLC) of the client does not matter because the user is always assigned to this predetermined VLAN ID.

WLC Configuration

This configuration requires these steps:

Configure the WLC with the Details of the Authentication Server

• Configure the Dynamic Interfaces (VLANs)
• Configure the WLANs ( SSID )

It is necessary to configure the WLC so it can communicate with the RADIUS server to authenticate the clients, and also for any other transactions.

Complete these steps:

• From the controller GUI, click  Security .
• Enter the IP address of the RADIUS server and the Shared Secret key used between the RADIUS server and the WLC.

This Shared Secret key should be the same as the one configured in the RADIUS server under Network Configuration > AAA Clients > Add Entry. Here is an example window from the WLC:

Configure the Dynamic VLAN (Interfaces)

This procedure explains how to configure dynamic interfaces on the WLC. As explained earlier in this document, the VLAN ID specified under the Tunnel-Private-Group ID attribute of the RADIUS server must also exist in the WLC.

In the example, the user1 is specified with the  Tunnel-Private-Group ID of 10 (VLAN =10)  on the RADIUS server.

You can see the same dynamic interface (VLAN=10) configured in the WLC in this example. From the controller GUI, under the Controller > Interfaces window, the dynamic interface is configured.

• Click  Apply  on this window.

This takes you to the Edit window of this dynamic interface (VLAN 10 here).

Enter the IP Address and default Gateway of this dynamic interface

Note:  Because this document uses an internal DHCP server on the controller, the primary DHCP server field of this window points to the Management Interface of the WLC itself. You can also use an external DHCP server, a router, or the RADIUS server itself as a DHCP server to the wireless clients. In such cases, the primary DHCP server field points to the IP address of that device used as the DHCP server. Refer to your DHCP server documentation for more information.

• Click  Apply .

Now you are configured with a dynamic interface in your WLC. Similarly, you can configure several dynamic interfaces in your WLC. However, remember that the same VLAN ID must also exist in the RADIUS server for that particular VLAN to be assigned to the client.

Configure the WLANs (SSID)

This procedure explains how to configure the WLANs in the WLC.

• From the controller GUI, choose  WLANs > New  in order to create a new WLAN.

The New WLANs window is displayed.

• Enter the WLAN ID and WLAN SSID information.

You can enter any name to be the WLAN SSID. This example uses VLAN10 as the WLAN SSID.

• Click  Apply  in order to go to the Edit window of the WLAN SSID10.

Normally, in a wireless LAN controller, each WLAN is mapped to a specific VLAN (SSID) so that a particular user that belongs to that WLAN is put into the specific VLAN mapped. This mapping is normally done under the Interface Name field of the WLAN SSID window.

In the example provided, it is the job of the RADIUS server to assign a wireless client to a specific VLAN upon successful authentication. The WLANs need not be mapped to a specific dynamic interface on the WLC. Or, even though the WLAN to dynamic interface mapping is done on the WLC, the RADIUS server overrides this mapping and assigns the user that comes through that WLAN to the VLAN specified under the user  Tunnel-Group-Private-ID  field in the RADIUS server.

• Check the  Allow AAA Override  check box in order to override the WLC configurations by the RADIUS server.
• Enable the Allow AAA Override in the controller for each WLAN (SSID) configured.

When AAA Override is enabled, and a client has AAA and controller WLAN authentication parameters that conflict, client authentication is performed by the AAA (RADIUS) server. As part of this authentication, the operating system moves clients to a VLAN returned by the AAA server. This is predefined in the controller interface configuration.

For instance, if the corporate WLAN primarily uses a Management Interface assigned to VLAN 2, and if the AAA Override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100 even if the physical port to which VLAN 100 is assigned. When AAA Override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLAN does not contain any client-specific authentication parameters.

Continue Reading:

CONFIGURE INTERFACES ON WIRELESS CONTROLLER 5508

Wireless Interview Questions

ABOUT THE AUTHOR

I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”

I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.

I am a strong believer of the fact that “learning is a constant process of discovering yourself.” – Rashmi Bhardwaj (Author/Editor)

Related Posts

Offshore Software Development Rates by Country: The Essential Guide to IT Business

Benefits of SFP Transceivers

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *