dynamic vlan assignment cisco ise wired

integrating IT

ISE Dynamic VLAN assignment

Dynamic VLAN assignment by a RADIUS server (e.g. Cisco ISE) can be useful when you want to assign a specific VLAN to a user or group of users. In order to achieve this the VLANS configured on the switches must be configured with a name, this name must be consistent across multiple switches. However the VLAN number does not necessarily need to be the same across the switches.The scenario in this blog post will simply define 2 VLANS (ADMIN and USERS), members of the AD group Domain Admins will be assigned to a VLAN called ADMIN and members of the AD group Domain Users will be assigned to a VLAN called USERS.

The configuration of ISE in this post only describes the steps in order to configure Dynamic VLAN assignment. Refer to this previous post on how to configure Cisco ISE for 802.1x authentication.

Switch Configuration

Configure the name on the VLANS. These names must match the name specified in the Authorisation Profile on ISE.

ISE Configuration

Authorisation profiles.

• Navigate to Policy > Policy Elements > Results > Authorisation > Authorisation Profiles
• Create a new Authorisation Profile and name appropriately e.g VLAN_ADMIN
• Under the Common Tasks section, tick VLAN
• Enter the ID/Name of the Admin VLAN as ADMIN

• Repeat the task and create another Authorisation Profile for the Standard Users e.g VLAN_USERS
• Enter the correct ID/Name as USERS

Authorisation Policy

• Navigate to Policy > Policy Set
• Modify an existing Policy Set used for 802.1x
• Ensure there are different Authorization Policy rules, for Admin Users and another for Standard Users
• Assign the VLAN_ADMIN Authorisation Profile to the Admin rule Profiles
• Assign the VLAN_USERS Authorisation Profile to the Standard Users rule Profiles
• Save the policy

Verification

Before logging in as a user, confirm the configuration of the interface the test computer is plugged into. Notice the VLAN is set to VLAN 10.

• Running the command show authentication sessions interface fastethernet 0/3 confirm the computer has a valid IP address in VLAN 10. Notice under Vlan Policy N/A, this means this interface was not dynamically assigned a VLAN.    

Login as a user that is a member of the AD group Domain Users.

• Run the command show authentication sessions interface fastethernet 0/3
• Compare the output this time with above. Notice the computer now has an IP address from the VLAN 11 DHCP Pool and Vlan Policy = 11, this confirms the computer has dynamically been assigned to VLAN 11.

• Run the command debug radius whilst the users is logging on
• You can confirm the VLAN name being returned by successful authorisation by the RADIUS server by the presence of Tunnel-Private-Group .

Logoff and log back in as a user in the Domain Admins AD group.

• Compare the output this time with above. Notice the computer now has an IP address from the VLAN 12 DHCP Pool and Vlan Policy = 12

• Running the command debug radius confirms the correct VLAN name ADMIN was sent by the RADIUS server.

Share this:

• Click to share on Twitter (Opens in new window)
• Click to share on Facebook (Opens in new window)
• Click to share on LinkedIn (Opens in new window)

Published by integratingit

View all posts by integratingit

3 thoughts on “ ISE Dynamic VLAN assignment ”

• Pingback: Initial Cisco ISE Configuration – integrating IT

Hi it is cool . What happend if some device has IP fix

If the device has a static IP address and is moved to a different VLAN, the user will not be able to communicate. It will only work if using DHCP.

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Meraki Community

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Technical Forums

802.1X /w Dynamic VLAN Assignment

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content
• All forum topics
• Previous Topic

• New July 16: Share your feedback and snag some swag!
• July 15: Points Contest: Week 2 Roundup
• July 8: Points Contest: Week 1 Roundup
• Interfaces 231
• Layer 2 252
• Layer 3 181
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

RADIUS VLAN Assignment with Cisco ISE

I am trying to install Cisco ISE 2.1 to be used as a RADIUS server with 802.1x on my switches. I want to dynamically assign a VLAN based to a user who connects on the switch port.

The problem is that, although my end client is authenticated and authorized by ISE, the VLAN id never gets received on the switch from ISE.

On ISE, I see my end user being authenticated with the correct policy, and authorized with the policy I created.

As seen on this image, I want to assign VLAN 56. However, my port does not get this information and stays in the hardcoded VLAN.

What could be the issue here?

Could it be that RADIUS options 064,065,081 are not forwarded from the ISE to the switch? I have a firewall between them.

Here is the configuration for dot1x on my switch :

And here is an output when the end user is authenticated through dot1x :

Here is the output of a debug dot1x all

Here is the output for "debug radius authentication"

• You can try "debug radius authentication" or "debug dot1x all" on the switch to see what messages it is receiving. –  Ron Trunk Commented Jun 16, 2016 at 17:06
• I did that, and edited my post to add the output above. I don't see anything really strange in the output though. –  Jeremy G. Commented Jun 16, 2016 at 17:15
• 1 I don't either. How about the radius debug? –  Ron Trunk Commented Jun 16, 2016 at 17:18
• 1 Great data, great question. +1 –  Citizen Commented Jun 17, 2016 at 8:57
• 1 @Mr.lock : my switch is a 3560 and its version is 12.2(50r)SE. it could be a firmware issue, but the TAC did not think that way. I will try another switch ASAP though. –  Jeremy G. Commented Jun 28, 2016 at 11:54

2 Answers 2

I don't know if you've already done this, but you have to go a step further than just creating the Auth profile. You have to apply that auth profile with an auth policy. To create the auth policy do the following.

Go to Policy / Authorization Edit – profiles –standard, select your auth profile click Done click Save

• You should edit your answer to explain it. –  Ron Maupin ♦ Commented Jul 19, 2016 at 21:51
• @BlackMagix : I applied this Auth profile to an auth policy indeed. Moreover, I did a tcpdump on ISE during the authorization process, and i can see an "ACCESS-ACCEPT" frame sent by ISE with the correct VLAN ID. Therefore I think the issue is more on the switch than on ISE. –  Jeremy G. Commented Jul 22, 2016 at 6:47

For those still interested in this issue, I had to upgrade the IOS to 12.2(55)SE10. Now it's working with the initial configuration.

• I would consider to upgrade to newer IOS version 15.*. Recommended version is marked as Golden image. –  Pawel Commented Jan 22, 2017 at 9:16

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged cisco vlan radius cisco-ise or ask your own question .

• The Overflow Blog
• The framework helping devs build LLM apps
• How to bridge the gap between Web2 skills and Web3 workflows
• Featured on Meta
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...
• Announcing a change to the data-dump process

Hot Network Questions

• Homebrew DND 5e Spell, review in power, and well... utility
• Designing an attitude indicator - Having issues with inclinometer
• How to modify FLS (Read) on all Fields on all Objects in your Org with Apex
• The maximum area of a pentagon inside a circle
• Would it be possible to start a new town in America with its own political system?
• Reducing required length of a mass driver using loop?
• What is the function of this resistor and capacitor at the input of optoisolator?
• Why did C++ standard library name the containers map and unordered_map instead of map and ordered_map?
• Declension in book dedication
• Accelerating semidecision of halting problem
• Object of proven finiteness, yet with no algorithm discovered?
• Can I cause a star to go supernova by altering the four fundamental forces?
• Were ancient Greece tridents different designs from other historical examples?
• "Four or six times", where is five?
• Is this circuit safe to put in my ceiling? What improvements could I make?
• What's that little animation between Avatar: The Last Airbender Book 2 and Book 3?
• 1 External SSD with OS and all files, used by 2 Macs, possible?
• Adding additional edges in the forest
• I'm 14 years old. Can I go to America without my parent?
• Does my observational study present as being a nested or crossed design?
• When Trump ex-rivals, who previously gave Trump terrible comments, now turn to praising him, what benefits could they gain?
• What are good reasons for declining to referee a manuscript that hasn't been posted on arXiv?
• Is deciding to use google fonts the sort of decision that makes an entity a controller rather than a processor?
• How can I connect my thick wires into an ikea wire connector

Technology and life with Eyvonne Sharp

Configuring Cisco FlexConnect AP to Support Dynamic VLAN Assignment with ISE

August 17, 2013 By Eyvonne 4 Comments

I am in the middle of an ISE proof of concept and have been running the product through its paces. Since nearly all of my access points are in FlexConnect mode (formerly known as H-REAP), they require additional configuration to allow dynamic VLAN assignment with ISE. FlexConnect supports local switching which allows you to map a local VLAN ID from the AP’s switch to an SSID instead of tunneling all traffic back to the Wireless LAN Controller to be switched centrally.

In order to dynamically assign a VLAN ID with an ISE authorization profile, the VLAN must exist on the access point. FlexConnect Groups accomplish this task.

From the Wireless menu, select FlexConnect Groups and click the New button. Once you create the group, click the group name to open the edit menu (seen below). On the General tab, add the access points to the FlexConnect group. To add the VLAN ID, select the ACL Mapping tab and then the “AAA VLAN-ACL mapping” tab. Enter the VLAN ID and select the ingress and egress ACLs. In my case, I selected “none”. Click Add and then Apply.

Your VLAN ID’s have been added to your access point and can be assigned with an ISE authorization policy.

For more information see Cisco documentation

Share this:

February 10, 2014 at 9:41 am

Just what I was looking for! Thanks!

November 12, 2014 at 11:07 am

Man, I was looking for this and had problems achieving it, thank you so much. Now I have clients in the correct Vlans

November 1, 2018 at 11:36 am

Thanks a lot for sharing this information.

March 6, 2023 at 6:47 am

It works for me for WLC 5520 v8.5.135.0 but it is not working on 8.10.130.0

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

Get the Reddit app

Cisco ise dynamic vlan assignment.