Not sure if it was directed at me or the original poster, I think it comes down more to an identity management classification and access issue at that point.
1. If employees are allowed network access to student resources then just put the employee rule above the student rule in ISE and the access will waterfall. 2. If employees are restricted from seeing student resources, you may have to create another level of access called Student Employees where ISE matches the rule if you are a member of the employees group AND the students group, and place them in a VLAN that has access to both resources. 3. If you don’t want to use VLAN switching, you can use DACLs (find what works best for you). In this scenario, Employees and students get put into the same vlan and access is controlled via DACL instead of regular IP firewalling. Student-only will get applied a dacl only allowing access to student things. Employees-only get only access to employee things. Student Employees get access to both using the same process as #2, except using DACLs instead of VLAN switching. Those are just 3 ways to handle that off the top of my head. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of James Helzerman <jarh...@umich.edu> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Thursday, July 8, 2021 at 2:05 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN Out of curiosity how would you handle someone that has dual appointments such as a student that is also an employee? -Jimmy On Wed, Jul 7, 2021 at 7:19 PM Heavrin, Lynn <lheav...@wustl.edu<mailto:lheav...@wustl.edu>> wrote: Feel free to reach out. We’re running 2.7 patch 3 with 8540s. We assign users to vlans for some things, but we also like actually using ISE assigned interface groups instead that contain multiple interfaces/vlans for more scalability. Thanks, Lynn Heavrin Network Engineer III | Network Engineering Washington University in St. Louis 4480 Clayton Ave, St. Louis, MO 63110 Mail stop 8218-45-01 •: 314.935.3877 | •:lheav...@wustl.edu<mailto:lheav...@wustl.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Manon Lessard <manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Wednesday, July 7, 2021 at 12:28 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN Same here, everything done with ISE. DM if you need help. Manon Lessard Chargée de programmation et d’analyse CCNP, CWNE #275, AWA 10, ESCE Design Direction des technologies de l'information Pavillon Louis-Jacques-Casault 1055, avenue du Séminaire Bureau 0403 Université Laval, Québec (Québec) G1V 0A6, Canada 418 656-2131, poste 412853 Télécopieur : 418 656-7305 manon.less...@dti.ulaval.ca<mailto:manon.less...@dti.ulaval.ca> www.dti.ulaval.ca<http://www.dti.ulaval.ca/> Avis relatif à la confidentialité | Notice of Confidentiality<http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of "Gray, Sean" <sean.gr...@uleth.ca<mailto:sean.gr...@uleth.ca>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Wednesday, July 7, 2021 at 12:52 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN Hi Everyone, We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) into a single WLAN (eduroam). Behind the scenes we still need to authenticate and route clients to their respective network segment. So to achieve this we need to implement dynamic vlan redirects behind the scenes. Eduroam users from other institutions will be sent out to eduroam to be handled appropriately Authentication will be handled by ISE cluster, running 2.6.0.156 WLC – 5520 (pair) running 8.8.130.0 The process, from a high level should look something like this * Staff/faculty will connect to our new single WLAN, namely Eduroam * They will be caught by the appropriate policy and authenticated against AD, validating that they are staff/faculty * Now they will be redirected to the appropriate VLAN * Student will follow the same process, but will be validated that they are a student, and redirected to a different VLAN * All others (externals) will be sent to an external RADIUS server for auth and then redirected to yet another different VLAN. Currently unique policies exist for each of these processes, without the added complexities of the VLAN redirect. So my mission is to combine these, filtering each client to their auth point, and then upon receiving the authorization, assign the appropriate vlan tag, for IP assignment, prior to them getting on-net. I’ve been unable to find any meaningful documentation around how to handle internal vs external radius redirection in this scenario. So has anyone done this, and are they able to share their process, inclusive of vlan redirect? Thanks Sean Sean Gray | B.Sc (Hons) Voice, Collaboration & Wireless Network Analyst ITS, University of Lethbridge ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- James Helzerman Lead Network Engineer University of Michigan - ITS Phone: 734-615-9541 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
