Currently for 802.1x and MAB with Cisco ISE I am using a dACL for unauthenticated domain machines along with some rules that use either different dACLs to allow traffic or a specific Vlan for certain machines. This is working well, but I need to roll this out to multiple sites and I have some concern as not all of the sites have uniform Vlan setups and have their own distributed servers for AD and such.
Right now its easy to apply to any normal data vlan.
Machines without domain certs get put in guest vlan and set to guest registration portal - VLAN redirect (MAB)
Machines with a domain cert get a 'Domain Services Only' dACL. Allows AD auth and SCCM patching, certs, etc - dACL (802.1x)
Domain users logging in via 802.1x with Domain machine cert and domain user cert get standard access accept - no dACL or VLAN (802.1x)
Special case users get specific vlans by dept (HR, Finance, etc that are pre segmented) - VLAN redirect (802.1x)
Works pretty good, except I only have 1 site so far. As I roll out I will have to add a ton more servers to the dACL (local AD, DNS, SCCM, and Cert servers) So I can see that dACL getting very large and applying to a lot of ports. I'm worried about the dACL overhead, is this typically an issue in large deployments?
I'm also worried that the Vlans are not consistent throughout each site, so this may end up in resulting in a huge policy list providing proper Vlans.
Theoretically I could use dACLs for all groups and simplify it a little bit, but that would mean a dACL applied to nearly every port, is this even feasible? Does anyone use this approach?
The solution I thought to use to simplify this setup prior to rollout and making it easier to roll out would be to use a standard unauth Vlan and a standard set of vlans for a Vlan Group. It would be easy to carve aside a set of vlans I could deploy at every site and I could script it pretty quickly. I would have each site's individual 'Domain Services' ACL entries applied to the site's own Unauth Vlan and then a Vlan Group or two that I can name the same but customize at each site as needed. This would clean up my Policy rules and overal Vlan usage. It does require some more background maintenance though..
My idea would look like:
Machines without domain certs get put in guest Vlan and set to guest registration portal - VLAN redirect (MAB)
Machines with a domain cert get put in standard Unauth Vlan. Allows AD auth and SCCM patching, certs, etc -VLAN redirect (802.1x)
Domain users logging in via 802.1x with Domain machine cert and domain user cert get standard Vlan Group - VLAN load balance (802.1x)
Special case users get specific Vlan Group by dept (HR, Finance, etc that are pre segmented) - VLAN load balance (802.1x)
Does this seem like a better plan for a rollout? Has anyone used Vlan Groups and multiple Vlan redirects with 802.1x with success?
Suggestions welcome!
