Configure authorization policy based on vlan-id attribute on ISE

Available Languages

Download Options

  • PDF     (143.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (182.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (123.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 25, 2021
Document ID:217586

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This article describes the steps to configure the ISE authorization policy based on the VLAN id attribute sent from the NAD. This feature is only available with IBNS 2.0.

    Use case

    Customers want to populate the VLAN ID that is configured on the access interface and later use it to provide access on ISE.

    Configuration steps

    NAD side

    1. Configure the switch to send VLAN radius attributes in the access request.

    Device# configure terminal
Device(config)# access-session attributes filter-list list TEST
Device(config-com-filter-list)# vlan-id
Device(config-com-filter-list)# exit
Device(config)# access-session accounting attributes filter-spec include list TEST
Device(config)# access-session authentication attributes filter-spec include list TEST
Device(config)# end

    NOTE: You may get a warning when entering the "access-session accounting attributes filter-spec include list TEST" command to accept migrating to IBNS 2.

    Switch(config)#access-session accounting attributes filter-spec include list TEST
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding. 
Do you wish to continue? [yes]:

    Check the following guide for more details: Vlan-id radius attributes config guide

    ISE side

    1. Create an authentication policy based on your needs (MAB/DOT1X).

    2. The authorization policy will include the next condition type, make sure to match the exact syntax

    Radius·Tunnel-Private-Group-ID EQUALS (tag=1) <vlan ID>

    Example:

    For a VLAN-ID = 77

    Screen Shot 2021-11-25 at 2.57.17 p.m.

    Test

    NAD side

    
Switch#sh run interface Tw1/0/3 
Building configuration...

Current configuration : 336 bytes
!
interface TwoGigabitEthernet1/0/3
 switchport access vlan 77
 switchport mode access
 device-tracking attach-policy DT_POLICY
 access-session host-mode multi-host
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
 service-policy type control subscriber POLICY_Tw1/0/3
end

Switch#
    
Switch#sh auth sess inter Tw1/0/3 details 
            Interface:  TwoGigabitEthernet1/0/3
               IIF-ID:  0x1FA6B281
          MAC Address:  c85b.768f.51b4
         IPv6 Address:  Unknown
         IPv4 Address:  10.4.18.167
            User-Name:  C8-5B-76-8F-51-B4
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-host
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  33781F0A00000AE958E57C9D
      Acct Session ID:  0x0000000e
               Handle:  0x43000019
       Current Policy:  POLICY_Tw1/0/3


Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure

Server Policies:


Method status list:
       Method           State
          mab           Authc Success

Switch#

    ISE side

    Screen Shot 2021-11-25 at 3.07.20 p.m.

    Screen Shot 2021-11-25 at 3.07.52 p.m.

    Revision History

    Revision Publish Date Comments
    1.0
    25-Nov-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jonathan Casillas Gutierrez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products