Dot1x Tunnel-Private-Group-Id ACS4.0 with Wireless and Wired Users

Unanswered Question
May 1st, 2007

Hi All,

We are running ACS Version 4.0 and currently use the Tunnel-Private-Group-Id function with our wireless network using 802.1x.

Now we are exploring the possibility of using dot1x with Wired users but have the problem of if we do try to authenticate the user, they are thrown into the Wireless VLAN.

My question is, is there any way of having more than one Tunnel-Private-Group-Id field? Or has anyone got any other suggestions?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Tue, 05/08/2007 - 02:07

You can have more than one Tunnel-Private-Group-Id field because there are several tags possible in ACS. The problem is however that most Cisco Switches only support the first tag. I'm not quite sure about this but I've read it somewhere ...

MIsatchenko Mon, 05/14/2007 - 16:48

Hi, I have found how to do that now. I guess my next question is how differentiate between TAGS?

Any idea?

darpotter Tue, 05/15/2007 - 00:33

Not sure this helps... but the Tunnel-Preference attribute allows you to set relative priorities for each tag (look it up so see if 0 is high or low - cant remember)

However, you should perhaps be using a NAP to distingish between wired and wireless LANs. This way you dont need to provision both services from the same group. Instead you create a RADIUS Auth Component for each service.


Anonymous (not verified) Tue, 05/08/2007 - 02:08


This Discussion