How to supersede machines VLAN assigned by 802.1x

Unanswered Question
May 25th, 2007

Hi,

I'm working in a NAC lab where I wish assign a VLAN via 802.1x during machine boot using machine authentication only in CTA. After that when an user logs into that machine I want to assign an user based VLAN even thought switch port is already authorized. Is there any solution for that?

Thanks in advanced,

Alberto

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
phoonts01 Mon, 05/28/2007 - 00:37

Hi Alberto,

Yes. You can do that with Cisco ACS. Firstly add the computer name registered in the AD domain into a group. Map the group in ACS and user in another group. Follow the user guide on how to assign dynamic vlan and you should be able to get it to work.

My problem is without machine authentication but allow user to logon first time on the machine. It seem in ACS, the user need to have his credential cached locally before he can logon into the network. Anyone able to overcome it?

Thx.

Cheers,

Phoon

al_vargas Mon, 05/28/2007 - 04:21

Phoon,

I think that might work with 802.1x native Windows supplicant, however I have been deploying 802.1x supplicant version of CTA. After a successful posture validation I'm not being able to supersede healthy VLAN with the machine VLAN nor supersede healthy VLAN with user VLAN. In ACS Reports and Activity I can see both machine and users are being successfully authenticated but their profiled VLAN are not being used. Any ideia?

Thanks,

phoonts01 Mon, 05/28/2007 - 06:30

Hi Alberto,

It definitely works on native Windows as I have it in production. I'm not familiar with CTA but I thought it should work on the same principle. I suggest you first test out on pure Windows XP supplicant to confirm the VLAN assignment is working. After that read carefully on the CTA part and whether XP setting is required.

My two cent's thought.

Cheers,

Phoon

al_vargas Mon, 05/28/2007 - 11:29

Phoon,

I will follow you advices. Any good news I will get in touch.

Thank you very much,

Alberto

phoonts01 Mon, 05/28/2007 - 21:27

Thanks. Plse rate accordingly whether the suggestion is workable.

Cheers,

Phoon

Actions

This Discussion