Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Change of VLAN For Wired Guest

    Hochgeladen von

    Francisco Cmx
    13 Ansichten15 Seiten

    Originaltitel

    Change of VLAN for Wired Guest.pptx

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PPTX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    13 Ansichten15 Seiten

    Change of VLAN For Wired Guest

    Hochgeladen von

    Francisco Cmx

    Copyright:

    © All Rights Reserved
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 15

    Change of VLAN for

    Wired Guest

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential 1


    Requirement
     Customers are looking to implement Wired Guest
    Flow and assign Guest Endpoint to a Guest VLAN
     Currently, this functionality is difficult/impossible to
    implement by Change of VLAN from ISE and hence is
    not recommended by ISE BU
    Limitation
    • Wired Guests access portal in corporate VLAN
    • ISE pushes dynamic VLAN but cannot port-bounce to refresh the
    IP in Guest VLAN.
    • No connectivity to Guest Endpoint until the guest unplugs and
    plugs manually
    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential
    Solution
     Utilize Auto Smart Port Switch Macro
     Two Authorization Policies in ISE

     Catch-All rule that re-directs endpoint to Guest Portal and Registers


    Guest MAC Addresses in endpoint database

     Rule for Registered Guest Endpoints that sends trigger to execute a pre-
    defined Auto Smart Port Switch

     Two Pre-Defined Macros will be defined and executed as shown on


    next slide…
     The solution was validated in our lab running ISE 2.1 patch 2 and
    3650 running 3.7.5
    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential
    Define Two Macros on the switch

     guestvlan_removedot1x … triggered from ISE


     Triggered when a Registered Guest Endpoint connects
     Reference made from ISE using auto-smart-port Cisco AVP
     Switches interface VLAN from Corporate to Guest
     Disables dot1x to avoid loop
     Bounces Port
     Applies the corporatevlan_applydot1x macro to the interface

     corporatevlan_applydot1x … triggered from above macro


     Switches VLAN from guest to corporate
     Enables dot1x
     Removes corporatevlan_applydot1x reference

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    Wired Flow for assigning Guest Endpoint to Guest VLAN..
    Guest Endpoint connecting for the first time

    Guest Wired PSN


    User NAD Auth
    Endpoint connects for first time RADIUS from NAD to
    PSN Policies
    Default Authorization Rule, Guest Endpoint
    Redirect to Web Portal Database
    RADIUS Response PSN to
    NAD
    Endpoint redirected to Portal
    and
    Redirect to Guest Portal Guest Endpoint added to
    ISE Issues a CoA DB
    User clicks OK
    t
    u es
    Reauth r iesG
    Endpoint redirected to Portal ue B
    Guest Auth Rule, ISE sends a Nq D
    and trigger to execute a smart Port PS point
    n d
    Radius Accept, Run Macro Macro E
    User clicks OK
    Switch Runs macro to change the
    VLAN to Guest VLAN and issues
    shut/no-shut commands

    User Disconnects
    Switch Runs macro to change the
    VLAN to DATA VLAN

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    Wired Flow for assigning Guest Endpoint to Guest VLAN..
    Registered Guest Endpoint connects

    Guest Wired PSN


    User NAD Auth
    Registered Guest Endpoint
    connects
    RADIUS from NAD to
    PSN Policies
    Guest Auth Rule, ISE sends a Guest Endpoint
    trigger to execute a smart Port Database
    Macro

    Radius Accept, Run Macro PSN


    End queries
    poin
    t DB G ues t
    Switch Runs macro to change the
    VLAN to Guest VLAN and issues
    shut/no-shut commands

    User Disconnects
    Switch Runs macro to change the
    VLAN to DATA VLAN

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    guestvlan_removedot1x macro

    macro auto execute guestvlan_removedot1x {

    if [[ $LINKUP == YES ]]; then


    configure terminal
    interface $INTERFACE
    no authentication port-control auto
    switchport access vlan 20
    macro description $TRIGGER
    shut
    no shut
    fi

    if [[ $LINKUP == NO ]]; then


    configure terminal
    interface $INTERFACE
    description Guest
    no macro description $TRIGGER
    macro description corporatevlan_applydot1x
    fi

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    corporatevlan_applydot1x
    macro auto execute corporatevlan_applydot1x {

    if [[ $LINKUP == NO ]]; then


    configure terminal
    interface $INTERFACE
    authentication port-control auto
    switchport access vlan 10
    no macro description $TRIGGER
    description corporate
    fi
    }

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    ISE Authorization Policies

    • Endpoints hit Default authorization rule when it connects for the first time
    • Endpoint is registered in GuestEndpoints identity group after accepting
    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential
    Guest_AUP Authorization Profile

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    Hotspot Portal Configuration

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    Hotspot_Guests Authorization Profile

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    Original Interface Config

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential


    After Guest Connect

    • corporatevlan_applydot1x will enable the switch to switch the VLAN back to corpora
    and reapply dot1x config (Refer to slide 4)
    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential
    Guest Disconnects

    • corporatevlan_applydot1x reapplies the corporate vlan and re-enables dot1x

    ©2015 SecurView. All rights reserved. www.securview.com Company Confidential

    Das könnte Ihnen auch gefallen