identity-management for vlan selection on access port

  • 0
  • 2
  • Problem
  • Updated 3 years ago
  • Solved
Trying to setup summit x440 and x460 switches to authenticate users to AD groups. if a user is in group1, then set connected host to vlan X. if there is a link to this kind of setup. it would be much obliged because i'm having trouble getting this stuff to work.
Photo of Per Lejon

Per Lejon

  • 200 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 2
Photo of Per Lejon

Per Lejon

  • 200 Points 100 badge 2x thumb
this is my current config

configure identity-management kerberos snooping aging time 120
enable identity-management
configure identity-management add ports 22
configure identity-management role-based-vlan add ports 22
configure identity-management role match-criteria inheritance on
create ldap domain "" default
configure ldap domain "" base-dn "DC=intra,DC=company,DC=net"
configure ldap domain "" bind-user "user" encrypted "pass"
configure ldap domain "" add server 389
create identity-management role "yyy" match-criteria "company==company;" priority 200
configure identity-management role "yyy" tag 102 vr VR-Default
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,364 Points 3k badge 2x thumb
Hi Per Lejon,

Let me make sure one thing here, do you want to deploy a switch as authentication device for a domain.

So whoever connects to that domain has to be authenticated via switch ? is this your requirement ?


Photo of Per Lejon

Per Lejon

  • 200 Points 100 badge 2x thumb
yes, exactly.
What i want to achive is the following.
if connected host cannot be authenticated, or is not in the domain --> will only get "default" for internet. mainly for guests and so om.

if the host is in the Ad domain --> can be elected a range of VLANs depending on which group they are in on the AD. or if i can make this election based on other criterias?

for example. on the active directory domain controller.
OU=tech will have one vlan. OU=sales will have another vlan. and so on.

Photo of Per Lejon

Per Lejon

  • 200 Points 100 badge 2x thumb
ok, this is now solved.

We're not using identity management. because if you unplugg the network cable, then all kerberos packets will be encrypted. so you will be unable to get authenticated again because of the ttl on the kerberos handshake.

To solve this we instead used netlogin with dot1x, relaying all info to a Microsoft NPS server via radius.

The NPS server has all DHCP ranges and checks the AD for the username. if authenticated. the NPS server will then reply this along with a vlan tag for the host to be placed in.

after tweaking some timers n such everything works kinda well.

the auth process usually takes abut 1-2 seconds. i set the timeout to 5 seconds with max 3 attempts befor the user is placed in a guest vlan.

the main problem was the dot1x host and NPS server. the switch was configured within 30minutes or so.

And tweaking the timers was mainly done because the defualt timeout value was set to 2 minutes for user s missing dot1x, no valid cert or just not being able to reach the NPS server.