nabz0r Veteran Posted January 23, 2018 Veteran Share Posted January 23, 2018 Is it possible for a radius server to assign vlan dynamically on a switch port that is on a dummy vlan before it gets authenticated? What I mean if a domain PC connects to a switch port assign vlan 3180 - 3189 (these are client vlans), if it is a printer assign it to vlan 3017 and if it is a guest user assign it to vlan guest and send it to a web portal for registration. Is this even possible or I am thinking way out of the box? Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/ Share on other sites More sharing options...
+BudMan MVC Posted January 24, 2018 MVC Share Posted January 24, 2018 There are many ways to assign vlan based upon criteria - mac, auth to radius sure.. What switch(es) do you have? Your 30$ smart switch not going to be able to do this sort of thing Sounds like your wanting to implement a NAC... Check out https://packetfence.org/ If your a cisco shop it would be ICE.. But not free https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170596 Share on other sites More sharing options...
nabz0r Veteran Posted January 24, 2018 Author Veteran Share Posted January 24, 2018 Great, then what I am trying to do will work somehow. Haha, my switch cost almost 1000$ I am going to use ISE and what I want to do is: Dot1X and MAB, but if the user is not found in the AD or ISE DB should be redirected to a guest web portal for registration. Now if when I assign the port to a specific vlan for dot1x it works fine, i.e client vlan, but it will not change vlan to guest vlan after the registration is done. So now I want to assign all ports to a dummy vlan i.e 999 and after switch port is authenticated for domain pc's it should move them to client vlan and the same for printer vlan. Guest should be moved from dummy vlan to guest vlan after the registration is done. Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170624 Share on other sites More sharing options...
+BudMan MVC Posted January 24, 2018 MVC Share Posted January 24, 2018 This is a common setup where device gets dumped into restricted vlan until they auth in some manner, fill out info in a captive portal could sure be one of those options. I am quite sure ISE can do that... I would open up a tac case with cisco if your having problem with specific configuration option not working etc, Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170632 Share on other sites More sharing options...
nabz0r Veteran Posted January 24, 2018 Author Veteran Share Posted January 24, 2018 Good to know it is possible, have you done this before? Yeah, I am sure ISE can do it. The problem is that ISE 2.3 they have re-done everything and there aren't a lot of documentation so read and the older ones aren't really applicable. I will open a tac case, but wanted to make sure that it is possible from radius perspective. Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170646 Share on other sites More sharing options...
+BudMan MVC Posted January 24, 2018 MVC Share Posted January 24, 2018 I have not done it with ISE... But restricted vlan is standard practice... Yes we do this at work..... How do you think the device can talk to anything to auth Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170668 Share on other sites More sharing options...
nabz0r Veteran Posted January 24, 2018 Author Veteran Share Posted January 24, 2018 What are you using if not ISE? Can you share your switch port and aaa config? Here or you can PM me. Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170794 Share on other sites More sharing options...
+BudMan MVC Posted January 24, 2018 MVC Share Posted January 24, 2018 Sure when I get to work in the morning I will post up some info.. Got called so a bit early this morning.. Freaking circuit can not stay up for more 30 days at a time without a freaking issue... Arrrggh Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170848 Share on other sites More sharing options...
+BudMan MVC Posted January 24, 2018 MVC Share Posted January 24, 2018 Here this might help you get started https://mikepembo.wordpress.com/2016/10/26/802-1x-between-cisco-and-radius/ Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598170990 Share on other sites More sharing options...
sc302 Veteran Posted January 25, 2018 Veteran Share Posted January 25, 2018 On 1/23/2018 at 5:27 PM, nabz0r said: Is it possible for a radius server to assign vlan dynamically on a switch port that is on a dummy vlan before it gets authenticated? What I mean if a domain PC connects to a switch port assign vlan 3180 - 3189 (these are client vlans), if it is a printer assign it to vlan 3017 and if it is a guest user assign it to vlan guest and send it to a web portal for registration. Is this even possible or I am thinking way out of the box? Here is what happens in my scenario. Vlan 1 is an unconfigured vlan. Vlan1 is essentially shut down. If an unauthenticated computer/device somehow holds the port open, that computer/device resides on vlan1. Vlan1 has no IP or subnet, it routes no where. Most of the time, if a computer can't auth the port goes into an administrative shutdown state. If I plug my fluke LinkRunner in, it holds the port in an online status and it gives me the port info and the configured vlan of 1. If a computer gets authenticated, Radius then pushes out what vlan that port can communicate on. I think that is the scenario that you are looking for...a dummy vlan (The default vlan of the switch, which should always remain unconfigured). 802.1x doesn't really support a "portal". You can configure the switch to use the default vlan for all else to belong to a vlan that has portal access (your default vlan for the access port).... in my switch I would do this as an example: int gi1/0/1 switchport mode access switchport access vlan 3017 authentication order authentication port control auto mab dot1x pae authenticator spanning-tree portfast edge This would put all unauthenticated computers on vlan 3017 It kind of urks me a little that the 2960x series has a different state of cli instructions, how the x series has depreciated commands where the xr series they continue to live and breathe in. For you, you may want to look at this and look at the guest vlan settings or 802.1x Authentication with Restricted VLAN: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#ID737 Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598172908 Share on other sites More sharing options...
nabz0r Veteran Posted January 30, 2018 Author Veteran Share Posted January 30, 2018 @BudMan, I actually have seen that link and he uses NPS, not ISE. I have figured it out and my ISE is now doing all the job with a little help of Ative directory and I am going to use ISE for authentication and command authorization based on AD group for network department, today we're using local username which is NO good. @sc302, Yes, that is the scenario I was looking for. All switch ports are assigned a dummy vlan, though not vlan 1 and when a device gets authenticated ISE will put it in a respective vlan. I even have succeeded with the portal through ISE for guest users/pc. Guests connect to a port, they get redirected to guest portal for registration and then login and have only internet access. As for the portal design, Cisco provides Portal Builder isepb.cisco.com and when you're done with the design, you import it into your ISE like a boss. This was a big project and I am happy that everything worked out as I wanted though I've grown 50 new gray hair because of this hehe. If anyone is interested on the product and wants to know how to configure dot1x, man or guest authentication I'd be happy to help, just PM me or write here. My switch config: interface GigabitEthernet1/0/22 description GARDSHUSET RICOH AFICIO C430DN switchport access vlan 666 switchport mode access switchport nonegotiate power inline never authentication periodic authentication timer reauthenticate server access-session control-direction in access-session closed access-session port-control auto mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast service-policy type control subscriber DOT1X_MAB_WEBAUTH_POLICY Polic-map (class-map is also configured) se08-as11#sh policy-map type control subscriber DOT1X_MAB_WEBAUTH_POLICY DOT1X_MAB_WEBAUTH_POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 clear-authenticated-data-hosts-on-port 20 activate service-template CRITICAL_AUTH_VLAN 30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 40 authorize 50 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class MAB_FAILED do-until-failure 10 terminate mab 20 authentication-restart 60 60 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 60 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot1x retries 2 retry-time 0 priority 10 30 authenticate using dot1x priority 10 event aaa-available match-all 10 class IN_CRITICAL_VLAN do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_VLAN do-until-failure 10 resume reauthentication event authentication-success match-all 10 class always do-until-failure 10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE event violation match-all 10 class always do-until-failure 10 restrict event inactivity-timeout match-all 10 class always do-until-failure 10 clear-session Link to comment https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/#findComment-598177738 Share on other sites More sharing options...
Recommended Posts