Out of curiosity how would you handle someone that has dual appointments such as a student that is also an employee?
-Jimmy On Wed, Jul 7, 2021 at 7:19 PM Heavrin, Lynn <lheav...@wustl.edu> wrote: > Feel free to reach out. We’re running 2.7 patch 3 with 8540s. We assign > users to vlans for some things, but we also like actually using ISE > assigned interface groups instead that contain multiple interfaces/vlans > for more scalability. > > > > Thanks, > > > > *Lynn Heavrin* > > *Network Engineer III | Network Engineering* > > Washington University in St. Louis > > 4480 Clayton Ave, St. Louis, MO 63110 > > Mail stop 8218-45-01 > (: 314.935.3877 | *:lheav...@wustl.edu > > > > > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Manon Lessard < > manon.less...@dti.ulaval.ca> > *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Wednesday, July 7, 2021 at 12:28 PM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single > eduroam WLAN > > > > Same here, everything done with ISE. > > > > DM if you need help. > > > > *Manon Lessard* > Chargée de programmation et d’analyse > > CCNP, CWNE #275, AWA 10, ESCE Design > > Direction des technologies de l'information > > Pavillon Louis-Jacques-Casault > 1055, avenue du Séminaire > Bureau 0403 > Université Laval, Québec (Québec) > > G1V 0A6, Canada > > 418 656-2131, poste 412853 > Télécopieur : 418 656-7305 > > manon.less...@dti.ulaval.ca > www.dti.ulaval.ca > > Avis relatif à la confidentialité | Notice of Confidentiality > <http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> > > > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Gray, Sean" < > sean.gr...@uleth.ca> > *Reply-To: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Wednesday, July 7, 2021 at 12:52 PM > *To: *"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *[WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam > WLAN > > > > Hi Everyone, > > > > We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) > into a single WLAN (eduroam). Behind the scenes we still need to > authenticate and route clients to their respective network segment. So to > achieve this we need to implement dynamic vlan redirects behind the scenes. > > > > Eduroam users from other institutions will be sent out to eduroam to be > handled appropriately > > > > Authentication will be handled by ISE cluster, running 2.6.0.156 > > WLC – 5520 (pair) running 8.8.130.0 > > > > The process, from a high level should look something like this > > - Staff/faculty will connect to our new single WLAN, namely Eduroam > - They will be caught by the appropriate policy and authenticated > against AD, validating that they are staff/faculty > - Now they will be redirected to the appropriate VLAN > > > > - Student will follow the same process, but will be validated that > they are a student, and redirected to a different VLAN > > > > - All others (externals) will be sent to an external RADIUS server for > auth and then redirected to yet another different VLAN. > > > > Currently unique policies exist for each of these processes, without the > added complexities of the VLAN redirect. So my mission is to combine these, > filtering each client to their auth point, and then upon receiving the > authorization, assign the appropriate vlan tag, for IP assignment, prior to > them getting on-net. > > > > I’ve been unable to find any meaningful documentation around how to handle > internal vs external radius redirection in this scenario. > > > > So has anyone done this, and are they able to share their process, > inclusive of vlan redirect? > > > > Thanks > > > > Sean > > > > *Sean Gray* | B.Sc (Hons) > > Voice, Collaboration & Wireless Network Analyst > > ITS, University of Lethbridge > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > ------------------------------ > > The materials in this message are private and may contain Protected > Healthcare Information or other information of a sensitive nature. If you > are not the intended recipient, be advised that any unauthorized use, > disclosure, copying or the taking of any action in reliance on the contents > of this information is strictly prohibited. If you have received this email > in error, please immediately notify the sender via telephone or return mail. > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > -- James Helzerman Lead Network Engineer University of Michigan - ITS Phone: 734-615-9541 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
