cisco ise vlan assignment

integrating IT

ISE Dynamic VLAN assignment

Dynamic VLAN assignment by a RADIUS server (e.g. Cisco ISE) can be useful when you want to assign a specific VLAN to a user or group of users. In order to achieve this the VLANS configured on the switches must be configured with a name, this name must be consistent across multiple switches. However the VLAN number does not necessarily need to be the same across the switches.The scenario in this blog post will simply define 2 VLANS (ADMIN and USERS), members of the AD group Domain Admins will be assigned to a VLAN called ADMIN and members of the AD group Domain Users will be assigned to a VLAN called USERS.

The configuration of ISE in this post only describes the steps in order to configure Dynamic VLAN assignment. Refer to this previous post on how to configure Cisco ISE for 802.1x authentication.

Switch Configuration

Configure the name on the VLANS. These names must match the name specified in the Authorisation Profile on ISE.

ISE Configuration

Authorisation profiles.

• Navigate to Policy > Policy Elements > Results > Authorisation > Authorisation Profiles
• Create a new Authorisation Profile and name appropriately e.g VLAN_ADMIN
• Under the Common Tasks section, tick VLAN
• Enter the ID/Name of the Admin VLAN as ADMIN

• Repeat the task and create another Authorisation Profile for the Standard Users e.g VLAN_USERS
• Enter the correct ID/Name as USERS

Authorisation Policy

• Navigate to Policy > Policy Set
• Modify an existing Policy Set used for 802.1x
• Ensure there are different Authorization Policy rules, for Admin Users and another for Standard Users
• Assign the VLAN_ADMIN Authorisation Profile to the Admin rule Profiles
• Assign the VLAN_USERS Authorisation Profile to the Standard Users rule Profiles
• Save the policy

Verification

Before logging in as a user, confirm the configuration of the interface the test computer is plugged into. Notice the VLAN is set to VLAN 10.

• Running the command show authentication sessions interface fastethernet 0/3 confirm the computer has a valid IP address in VLAN 10. Notice under Vlan Policy N/A, this means this interface was not dynamically assigned a VLAN.    

Login as a user that is a member of the AD group Domain Users.

• Run the command show authentication sessions interface fastethernet 0/3
• Compare the output this time with above. Notice the computer now has an IP address from the VLAN 11 DHCP Pool and Vlan Policy = 11, this confirms the computer has dynamically been assigned to VLAN 11.

• Run the command debug radius whilst the users is logging on
• You can confirm the VLAN name being returned by successful authorisation by the RADIUS server by the presence of Tunnel-Private-Group .

Logoff and log back in as a user in the Domain Admins AD group.

• Compare the output this time with above. Notice the computer now has an IP address from the VLAN 12 DHCP Pool and Vlan Policy = 12

• Running the command debug radius confirms the correct VLAN name ADMIN was sent by the RADIUS server.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)

Published by integratingit

View all posts by integratingit

3 thoughts on “ ISE Dynamic VLAN assignment ”

• Pingback: Initial Cisco ISE Configuration – integrating IT

Hi it is cool . What happend if some device has IP fix

If the device has a static IP address and is moved to a different VLAN, the user will not be able to communicate. It will only work if using DHCP.

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Technology and life with Eyvonne Sharp

Configuring Cisco FlexConnect AP to Support Dynamic VLAN Assignment with ISE

August 17, 2013 By Eyvonne 4 Comments

I am in the middle of an ISE proof of concept and have been running the product through its paces. Since nearly all of my access points are in FlexConnect mode (formerly known as H-REAP), they require additional configuration to allow dynamic VLAN assignment with ISE. FlexConnect supports local switching which allows you to map a local VLAN ID from the AP’s switch to an SSID instead of tunneling all traffic back to the Wireless LAN Controller to be switched centrally.

In order to dynamically assign a VLAN ID with an ISE authorization profile, the VLAN must exist on the access point. FlexConnect Groups accomplish this task.

From the Wireless menu, select FlexConnect Groups and click the New button. Once you create the group, click the group name to open the edit menu (seen below). On the General tab, add the access points to the FlexConnect group. To add the VLAN ID, select the ACL Mapping tab and then the “AAA VLAN-ACL mapping” tab. Enter the VLAN ID and select the ingress and egress ACLs. In my case, I selected “none”. Click Add and then Apply.

Your VLAN ID’s have been added to your access point and can be assigned with an ISE authorization policy.

For more information see Cisco documentation

Share this:

February 10, 2014 at 9:41 am

Just what I was looking for! Thanks!

November 12, 2014 at 11:07 am

Man, I was looking for this and had problems achieving it, thank you so much. Now I have clients in the correct Vlans

November 1, 2018 at 11:36 am

Thanks a lot for sharing this information.

March 6, 2023 at 6:47 am

It works for me for WLC 5520 v8.5.135.0 but it is not working on 8.10.130.0

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

Meraki Community

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Technical Forums

VLAN assignment after successful Cisco ISE authentication

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content
• All forum topics
• Previous Topic

• New May 30: Cisco Live is next week! Share your #CiscoLive selfie on social for a chance to win
• May 24: Community Platform Update: Nav updates, full-width UI
• May 13: [CONTEST CLOSED] Join us in some fun wordplay for National Limerick Day, hooray!
• Interfaces 226
• Layer 2 240
• Layer 3 176
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service

Log in to ask questions, share your expertise, or stay connected to content. Don’t have a login? Join now .  

• Community Home
• Topic Thread

Wired Intelligent Edge

• Discussion 39.3K
• Members 1.8K

Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

1.  dynamic vlan assignment /dacl's with cisco ise and arubaos-switch.

Hi Created,

This guide below is how to set up DACL's and how to dynamically assign a vlan to a device connecting to the network.

Attachment(s)

2.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

is there a way to do a reassing os the DACL, if ofr example on the cisco ISE for thet user i need ot assing him a new ACL, can id do that with the COA?

or is this not possible at all?

3.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

What you normally would do is trigger a 'Terminate Session', where the switch will do a new authentication for the user/device and you can then return the new role/DACL as part of your policy/enforcement.

I'm not sure if ISE support DACL for Aruba switches, but you may fallback to user roles and return a local user role.

4.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

Yes i have configure DACL from ISE to ARUBA switches and its working perfectly but i need to do changes of the DACL and i havent figure out how to do that.(use vsa 92 standard by the way) if you need the config just let me do a session withb the cliente to do screenshot of ise and the config of the switch(the hardest part was to send the client ip address to ISE).

With the COA 'Terminate Session' if you have the experience with Cisco ISE could you show me how that configuration of the terminate session goes, i havent got that part i still have doubts with that configuration.

Gerardo Andree Mejia 

5.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

You can initially deploy user role with policy and assign different user role having different policy based on your requirement using reauthentication CoA as below

6.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

so i can add the:

and send that information on the reauthenticate for the Aruba siwtches rigth?

i think i gettoting so what you do on the definition of the ISE is defines de VSA that im going to send the switch rigth?

thanks for the help by the way.

7.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

Yes we could send NAS-Filter-Rule via CoA.  

8.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

Hi Shobana, 

i had problem with the COA re-authenticate

this is the configuration i put on the ISE profile and sitll got no response from the switch

do you see anything bad in there??

am going to add the config of the switch i dont know if maybe theres something else that need to be done.

thanks for the help.

9.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

You have to enable this CLI for radius dyn authorization 

radius dyn-authorization enable

radius dyn-authorization client { <IPV4> | <IPV6> | <HOSTNAME> }

[secret-key [plaintext <PASSKEY> | ciphertext] <PASSKEY> ]]

[time-window <WIDTH> ] [replay-protection {enable|disable}]

More details here - 

https://www.arubanetworks.com/techdocs/AOS-CX/10.08/HTML/security_6200-6300-6400/Content/Chp_RAD_dyn_auth/RAD_dyn_auth_cmds/rad-dyn-aut-com-fl-10.htm

10.  RE: Dynamic Vlan Assignment /DACL's with Cisco ISE and ArubaOS-Switch

does this applyes to version 16.11  for AOS-S??

New Best Answer

• Environmental Citizenship
• Support Services
• Contact Support
• Training & Certification
• Software Downloads
• Licensing Login
• Find a Partner
• Become a Partner
• Partner Ready for Networking
• Technology Partner Programs
• Privacy policy
• Terms of service

© Copyright 2024 Hewlett Packard Enterprise Development LP All Rights Reserved.

• Skip to content
• Skip to search
• Skip to footer

Products, Solutions, and Services

Want some help finding the Cisco products that fit your needs? You're in the right place. If you want troubleshooting help, documentation, other support, or downloads, visit our  technical support area .

Contact Cisco

• Get a call from Sales

Call Sales:

• 1-800-553-6387
• US/CAN | 5am-5pm PT
• Product / Technical Support
• Training & Certification

Products by technology

• Software-defined networking
• Cisco Silicon One
• Cloud and network management
• Interfaces and modules
• Optical networking
• See all Networking

Wireless and Mobility

• Access points
• Outdoor and industrial access points
• Controllers
• See all Wireless and Mobility

• Secure Firewall
• Secure Endpoint
• Secure Email
• Secure Access
• Multicloud Defense
• See all Security

Collaboration

• Collaboration endpoints
• Conferencing
• Cisco Contact Center
• Unified communications
• Experience Management
• See all Collaboration

Data Center

• Servers: Cisco Unified Computing System
• Cloud Networking
• Hyperconverged infrastructure
• Storage networking
• See all Data Center

• Nexus Dashboard Insights
• Network analytics
• Cisco Secure Network Analytics (Stealthwatch)

• Video endpoints
• Cisco Vision
• See all Video

Internet of Things (IoT)

• Industrial Networking
• Industrial Routers and Gateways
• Industrial Security
• Industrial Switching
• Industrial Wireless
• Industrial Connectivity Management
• Extended Enterprise
• Data Management
• See all industrial IoT

• Cisco+ (as-a-service)
• Cisco buying programs
• Cisco Nexus Dashboard
• Cisco Networking Software
• Cisco DNA Software for Wireless
• Cisco DNA Software for Switching
• Cisco DNA Software for SD-WAN and Routing
• Cisco Intersight for Compute and Cloud
• Cisco ONE for Data Center Compute and Cloud
• See all Software
• Product index

Products by business type

Service providers

Small business

Midsize business

Cisco can provide your organization with solutions for everything from networking and data center to collaboration and security. Find the options best suited to your business needs.

• By technology
• By industry
• See all solutions

CX Services

Cisco and our partners can help you transform with less risk and effort while making sure your technology delivers tangible business value.

• See all services

Design Zone: Cisco design guides by category

Data center

• See all Cisco design guides

End-of-sale and end-of-life

• End-of-sale and end-of-life products
• End-of-Life Policy
• Cisco Commerce Build & Price
• Cisco Software Central
• Cisco Feature Navigator
• See all product tools
• Cisco Mobile Apps
• Design Zone: Cisco design guides
• Cisco DevNet
• Marketplace Solutions Catalog
• Product approvals
• Product identification standard
• Product warranties
• Cisco Security Advisories
• Security Vulnerability Policy
• Visio stencils
• Local Resellers
• Technical Support