01-20-2022 04:42 AM
01-26-2022 01:19 PM
This is the way I would recommend to do it:
1. NAC rule for Printers:
2 Policy Mapping for Printers has multiple mappings with location group per switch:
All printers will hit the "Printer" rule and NAC will send different RFC 3580 VLAN authorizations based on the switch that sent the authentication request.
Brian's solution is a one too. If Policy VLAN islands or policy isn't supported by the older or 3rd party devices as long as they can process an RFC 3580 VLAN authorization with VLAN name instead of VLAN ID you can configure the same VLAN name on all switches, and map it to a different VLAN ID per switch.
So:
Switch 1 would would have "Printer" VLAN be VLAN 1
Switch 2 would would have "Printer" VLAN be VLAN 2
Switch 3 would would have "Printer" VLAN be VLAN 3
NAC would always send back RFC 3580 VLAN NAME (Printer), and the individual switch can provision the unique VLAN per switch accordingly.
Policy VLAN Islands just makes it easy to deploy and manage this type of configuration.
01-22-2022 12:48 PM
Hello,
Yes, NAC has the ability to provide a different authorization based on location group by utilizing location based policy mappings.
You will have one rule that has one profile that mappings to a number of policy mappings that are used based on location criteria within the policy mapping itself.
For instance:
Unregistered with "Map to Location" "Any"
Unregistered with "Map to location" "XCC". XCC being the IP address of the XCC controller.
So there are two policy mappings named "Unregistered", but if the XCC controller sends the RADIUS access request NAC will send a different policy named based on the policy mapping:
So NAC would send "Unregistered role for BCS_WIRELESS" as the filter-id ONLY to the XCC. Any other switch would have the filter-id of "Unregistered" sent.
So you would create a new policy mapping for each switch location group, and define the switches inside the location group.
You'll probably be working with RFC 3580 for VLAN authorization. There is no difference. Instead of filer-id you would send a different VLAN ID.
So:
policyMappingName - Location group: switch 1 - VLAN 1
policyMappingName - Location group: switch 2 - VLAN 2
policyMappingName - Location group: switch 3 - VLAN 3
policyMappingName - Location group: switch 4 - VLAN 4
They key is that the policy mapping name must all be the same, and you should leave one of the policy mappings set to location of "any" or NAC will throw an error on enforce saying that there is no default policy mapping.
Thanks
-Ryan
01-26-2022 08:51 AM
01-26-2022 11:23 AM