identity-management for vlan selection on access port

Trying to setup summit x440 and x460 switches to authenticate users to AD groups. if a user is in group1, then set connected host to vlan X. if there is a link to this kind of setup. it would be much obliged because i'm having trouble getting this stuff to work.

4 replies

this is my current config configure identity-management kerberos snooping aging time 120 enable identity-management configure identity-management add ports 22 configure identity-management role-based-vlan add ports 22 configure identity-management role match-criteria inheritance on create ldap domain "" default configure ldap domain "" base-dn "DC=intra,DC=company,DC=net" configure ldap domain "" bind-user "user" encrypted "pass" configure ldap domain "" add server 389 create identity-management role "yyy" match-criteria "company==company;" priority 200 configure identity-management role "yyy" tag 102 vr VR-Default
Userlevel 4
Hi Per Lejon,

Let me make sure one thing here, do you want to deploy a switch as authentication device for a domain.

So whoever connects to that domain has to be authenticated via switch ? is this your requirement ?


yes, exactly. What i want to achive is the following. if connected host cannot be authenticated, or is not in the domain --> will only get "default" for internet. mainly for guests and so om. if the host is in the Ad domain --> can be elected a range of VLANs depending on which group they are in on the AD. or if i can make this election based on other criterias? for example. on the active directory domain controller. OU=tech will have one vlan. OU=sales will have another vlan. and so on. //Per
ok, this is now solved.
We're not using identity management. because if you unplugg the network cable, then all kerberos packets will be encrypted. so you will be unable to get authenticated again because of the ttl on the kerberos handshake.

To solve this we instead used netlogin with dot1x, relaying all info to a Microsoft NPS server via radius.
The NPS server has all DHCP ranges and checks the AD for the username. if authenticated. the NPS server will then reply this along with a vlan tag for the host to be placed in.
after tweaking some timers n such everything works kinda well.

the auth process usually takes abut 1-2 seconds. i set the timeout to 5 seconds with max 3 attempts befor the user is placed in a guest vlan.

the main problem was the dot1x host and NPS server. the switch was configured within 30minutes or so.
And tweaking the timers was mainly done because the defualt timeout value was set to 2 minutes for user s missing dot1x, no valid cert or just not being able to reach the NPS server.