Ah - then still most of the ideas apply. If you use policy manager then the roles are automatically distributed to the switches - at the role tab level you can define the VLAN that should be assigned. This overrides the PVID setting on the port. You need to turn on authentication on the port and switch level and also enable RADIUS. All of this can be done via the port config and device config wizards in policy manager.
As said - our NAC appliance can act as a RADIUS server and map LDAP/AD attributes back to policies that get dynamically assigned. They (the policy) can included VLAN´s obviously to achieve this. See also https://cp-enterasys.kb.net/al/12/3/article.aspx?aid=14317&tab=browse&bt=4&r=0.04827732 Does this help more? You can also mail me directly Regards Markus From: [email protected] [mailto:[email protected]] On Behalf Of VanArtsdalen, Scott Sent: Donnerstag, 15. Dezember 2011 22:17 To: Enterasys Customer Mailing List Subject: Re: [enterasys] Setting VLAN egress based on AD group membership Thanks Markus. I should have been more clear. We currently use Netsight. I am familiar with Policy Manager. We use policies to set COS up for phones and for blocking certain services on end user ports. I'd like to find a way to do this using Policy Manager. Also, VLANs are currently staticly set on the edge. We'd like them to be completely dynamic based on AD group membership (or the lack thereof.) On Thu, Dec 15, 2011 at 12:24 PM, Nispel, Markus <[email protected]<mailto:[email protected]>> wrote: Hi Scott You can use Policy and RADIUS attributes to return that - as part of the policy you can modify the PVID incluing the egress as well as the VLAN egress separately for untagged and tagged traffic (like a dynamic 1Q trunk). You can use the decorated filter ID to return the policy or map RFC3580 tunnel attributes back as well. What product do you use? Details can be found in the feature guide for policy: https://extranet.enterasys.com/downloads/Pages/dms.ashx?download=96274944-52fa-4cc1-9bba-0744d5989703 while it is highly recommended to use the policy manager as part of the Netsight Suite. For authentication https://extranet.enterasys.com/downloads/Pages/dms.ashx?download=cf5b6f90-13a1-4253-add1-5d2a7a0cbb23 CLI commands of interest to create the policy phoneFS with pvid 11: Fixed Switch(rw)->set policy profile 3 name phoneFS pvid-status enable pvid 11 cos-status enable cos 10 - here there are also the options for separate egress control Radius & authentication turned on and returning as the filter id "Enterasys:version=1:policy=phoneFS" Does the job. Turn on auth & RADIUS System(rw)->set multiauth mode multi System(rw)->set multiauth port mode force-auth ge.1.5-7 For MAC auth System(rw)->set macauthentication enable System(rw)->set macauthentication password enterasys System(rw)->set macauthentication port enable ge.1.5-7 RADIUS System(rw)->set radius server 1 10.20.10.01 System(rw)->set radius enable If you need AD support and RADIUS services then you could also use our NAC solution for that. Hope this helps Markus From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of VanArtsdalen, Scott Sent: Donnerstag, 15. Dezember 2011 19:26 To: Enterasys Customer Mailing List Subject: [enterasys] Setting VLAN egress based on AD group membership Can someone point me to a good resource on setting VLAN egress on a port based on membership in a given group in Active Directory? Any whitepapers out there or a place one one of the manuals I should check? Michael, you have anything that would help? :-) * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
