dynamic vlan assignment

[oddyager]

Curious if anyone here has implemented or tried assigning vlans dynamically rather then set them statically on each port? I'm trying to figure a way to assign the ports in our guest and conference areas to be dynamic so that trusted known mac addresses that are detected when plugged in gets dropped onto a trusted vlan and unknown ones get deposited on another vlan. Cisco URT is a very expensive option and there's another called VMPS which only works on CatOS switches (whihc none of my switches run).

Any thoughts?

 

[jlazzaro]

Played around with it a little in the past, although I just went the static route. However, for your situation, it sounds like it could really come in handy.

I honestly think it?s too much administrative overhead; then again I don?t know how many users you support. If its only a couple no biggie, but your going to have to enter every trusted mac address into a table, as well as keep that table up to date with new users. doesn?t sound like fun to me...

For your guests/visitors, you?d want to setup a fallback vlan for all those unrecognized mac addresses.

But, without urt or a capable switch, none of this really matters. the vmps server doesn?t have to be the switch they are connecting to, you can run it off a single port, and connect say a 3500 to that port. You have no capable switches ANYWHERE?

 

[oddyager]

I guess I can find an old switch and load CatOS on it. From the cisco guides, CatIOS doesn't support vmps server (whihc is what I have on all of my switches here). However, yes, I'm also going to keep our main LAN on static vlan assignments. Its just the conference rooms and the guest area I want to use dynamic assignments. I'll probably plug all those onto one switch (about 2 dozen or so ports).

 

[nweaver]

I think some of Cisco's NAC stuff can do this...if the Cisco client checks in as HEALTH send to VLAN1, if they check in as Unhelathy, vlan2, if there is no checkin, vlan 3

and it works with wireless too

 

[imported_pak9rabid]

oddyager, you don't work for a hotel internet provider by chance do you?

 

[her209]

Does your switch support RADIUS?

 

[oddyager]

Originally posted by: pak9rabid
oddyager, you don't work for a hotel internet provider by chance do you?

Nope.

Originally posted by: nweaver
I think some of Cisco's NAC stuff can do this...if the Cisco client checks in as HEALTH send to VLAN1, if they check in as Unhelathy, vlan2, if there is no checkin, vlan 3

and it works with wireless too

I looked at the NAC stuff but I don't think it can do host based authentication from what I have read. I maybe totally wrong but I'll look at it some more.

Originally posted by: her209
Does your switch support RADIUS?

Yes, all of my switches support radius.

Dot1x is eventually going to be implemented to support my current users but I'm not sure how it reacts to guest people who log in locally to their laptops. We have sales reps who bring clients over to their offices and want them to be able to plug their laptops into a port. Though I loathe the idea, I can try to accomodate them by saying any MAC address my network doesn't recognize be dumped on , say, vlan20, where it has nothing but internet access. I can do that with static assignments on each switch port but its a pain because those same ports can sometimes be used for legit network machines.

 

[Darthkim]

dot1x is the way to go. NAC rides on top of it, but its not free.

I am using dot1x in a all cisco infrastructure with PEAP. (wired). Wireless extension is next.
I am using both host and username authentication. VLAN assignment comes dynamically depending on host and username.

There is a way to kick of users into a guest vlan, if the user does not have dot1x enabled or has it enabled, but doesn't belong to your domain. Cisco has two commands for that
dot1x auth-fail vlan 999
dot1x guest-vlan 999

The 1st one handles users who have dot1x enabled, but aren't part of your domain.
The 2nd one handles users who don't have dot1x running at all.

The reason why there is a variation, is after sp1, all windows xp machines have dot1x enabled by default.

Once its all setup, it runs beatifully. But it does take alot of effort and is definitely not for the faint of the heart. Make sure to run at least 12.2.25 on the stackables cisco switches.

 

[nightowl]

If you go the dot1x route. You it would be better if you have the latest code on the switches as that is where all of the newest features are. Also, dot1x will do what you want as far as the guest VLAN. However there is no real reason to do machine authentication and user authentication. If the machine is trusted then you can rely on AD or whatever the backend is to authenticate the users.

 

[oddyager]

Thanks all for your responses.

Originally posted by: Darthkim
dot1x is the way to go. NAC rides on top of it, but its not free.

I am using dot1x in a all cisco infrastructure with PEAP. (wired). Wireless extension is next.
I am using both host and username authentication. VLAN assignment comes dynamically depending on host and username.

.

I'm actually just reading up on that and noticed that for dynamic vlan assignments you need to have switches running CatOS. Is that what you are running or can it be done with CatIOS?

 

[Darthkim]

Yup, i'm running them all on IOS, not CatOS.

I'm wondering where you are reading your documentation, as the only switches that support CatOS are the chassis based switches.

I have dot1x running on my 4500 with Sup IV and cat 3750's. All IOS.

The chassis based switches have two sets of documentation (one with CatOS, the other with IOS). Make sure to read the right one.


As far as Nightowl's statement, we wanted to have the vlan determined by UserID, not Machine name, hence the user authentication. But we ended having to support machine authentication, to push updates/polices, etc.

 

[oddyager]

Originally posted by: Darthkim
Yup, i'm running them all on IOS, not CatOS.

I'm wondering where you are reading your documentation, as the only switches that support CatOS are the chassis based switches.

From here on Chapter 5:

http://www.cisco.com/univercd/cc/td/doc/solution/esm/identity/identity.pdf

But if you say it works with IOS, then that's great. I looked over the documentation again and all I see that's needed for configs done on switches were adding ACLs only.


Actually, I did come across one caveat with dot1x. It requires using radius for authentication which is fine but I also want command authorization from tacacs+ as well.

 

[spidey07]

then define different method lists. one for dot1x and another for the exec (shell)

should be able to do what you want.

Also that document you linked is very old and probably contains tons of incorrect information. what you can and can't do with dot1x has changed a lot in the las 3 years.

 

[oddyager]

Originally posted by: spidey07
then define different method lists. one for dot1x and another for the exec (shell)

should be able to do what you want.

I've tried that but it doesn't seem to cooperate. If I set login dot1x for radius and exec for tacacs, it still ignores tacacs+ settings. Here's a sample cofig:

aaa authentication login default group radius local
aaa authentication login dot1x default group radius local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa accounting auth-proxy default start-stop group tacacs+

This is tied in with SecureACS. I can't set the login default group to tacacs+ because that won't allow radius attributes to be set in acs.

Also that document you linked is very old and probably contains tons of incorrect information. what you can and can't do with dot1x has changed a lot in the las 3 years.

Yeah, i just looked at one from Dec 2005. Though they completely took out the parts regarding dynamic VLAN assigning.

 

[Darthkim]

Yea, there are much better documentation than the one you referenced.

If you want to get this going on a stackable switch, look here.

http://www.cisco.com/univercd/cc/td/doc...t/lan/cat3750/12225see/scg/sw8021x.htm

Here it is, if you use a 4500 series chassis.

http://www.cisco.com/univercd/cc/td/doc...ct/lan/cat4000/12_2_25s/conf/dot1x.htm


You can maintain separate settings for tacacs+ and dot1x.

Take the dot1x out of "aaa authentication login"

To turn on dot1x, the following should get you started

aaa authentication dot1x default
dot1x system-auth-control
aaa authorization network default group radius
radius-server host xxx.xxx.xxx.xxx.
radius-server key xxxxxx

and then go configure the individual interface for dot1x (read documentation mentioned above)

 

[oddyager]

Originally posted by: Darthkim
Yea, there are much better documentation than the one you referenced.

If you want to get this going on a stackable switch, look here.

http://www.cisco.com/univercd/cc/td/doc...t/lan/cat3750/12225see/scg/sw8021x.htm

Here it is, if you use a 4500 series chassis.

http://www.cisco.com/univercd/cc/td/doc...ct/lan/cat4000/12_2_25s/conf/dot1x.htm


You can maintain separate settings for tacacs+ and dot1x.

Take the dot1x out of "aaa authentication login"

To turn on dot1x, the following should get you started

aaa authentication dot1x default
dot1x system-auth-control
aaa authorization network default group radius
radius-server host xxx.xxx.xxx.xxx.
radius-server key xxxxxx

and then go configure the individual interface for dot1x (read documentation mentioned above)

That was actually a typo of mine, sorry. It's aaa authentication dot1x default group radius local

I can get dot1x to work fine now but still no-go on getting it to use tacacs+ for command authorization. I have two groups setup where one group has full admin access to a device and another only basic commands. Radius ignores the two sets and assumes they have whatever commands are under their assigned priv level.

 

[spidey07]

did you assign the group to the VTY lines?

 

[oddyager]

Originally posted by: spidey07
did you assign the group to the VTY lines?

Yes, it applies to all lines and interfaces when you use default.