Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
824
Views
3
Helpful
5
Replies

How to supersede machines VLAN assigned by 802.1x

al_vargas
Level 1
Level 1

‎05-25-2007 11:51 AM - edited ‎03-10-2019 03:10 PM

Hi,

I'm working in a NAC lab where I wish assign a VLAN via 802.1x during machine boot using machine authentication only in CTA. After that when an user logs into that machine I want to assign an user based VLAN even thought switch port is already authorized. Is there any solution for that?

Thanks in advanced,

Alberto

Labels:
0 Helpful
5 Replies 5

phoonts01
Level 1
Level 1

‎05-28-2007 12:37 AM

Hi Alberto,

Yes. You can do that with Cisco ACS. Firstly add the computer name registered in the AD domain into a group. Map the group in ACS and user in another group. Follow the user guide on how to assign dynamic vlan and you should be able to get it to work.

My problem is without machine authentication but allow user to logon first time on the machine. It seem in ACS, the user need to have his credential cached locally before he can logon into the network. Anyone able to overcome it?

Thx.

Cheers,

Phoon

0 Helpful

al_vargas
Level 1
Level 1
In response to phoonts01

‎05-28-2007 04:21 AM

Phoon,

I think that might work with 802.1x native Windows supplicant, however I have been deploying 802.1x supplicant version of CTA. After a successful posture validation I'm not being able to supersede healthy VLAN with the machine VLAN nor supersede healthy VLAN with user VLAN. In ACS Reports and Activity I can see both machine and users are being successfully authenticated but their profiled VLAN are not being used. Any ideia?

Thanks,

0 Helpful

phoonts01
Level 1
Level 1
In response to al_vargas

‎05-28-2007 06:30 AM

Hi Alberto,

It definitely works on native Windows as I have it in production. I'm not familiar with CTA but I thought it should work on the same principle. I suggest you first test out on pure Windows XP supplicant to confirm the VLAN assignment is working. After that read carefully on the CTA part and whether XP setting is required.

My two cent's thought.

Cheers,

Phoon

al_vargas
Level 1
Level 1
In response to phoonts01

‎05-28-2007 11:29 AM

Phoon,

I will follow you advices. Any good news I will get in touch.

Thank you very much,

Alberto

0 Helpful

phoonts01
Level 1
Level 1
In response to al_vargas

‎05-28-2007 09:27 PM

Thanks. Plse rate accordingly whether the suggestion is workable.

Cheers,

Phoon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents