ACS 4.1 and 802.1x dynamic VLAN assignment

Answered Question
Jul 16th, 2007

Hi Guys,

a customer wants to implement dynamic vlan assignment with 802.1x. The customer has the following equipment, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, many Cisco Switches and Routers.

Now the questations are, can we implement dynamic vlan assignment without a nac appliance and the customer also wants to decide between clients with actual antivirus signatures and clients with old signatures. Older clients should only have access to the antivirus server and update the signature and if everything is ok, than have access to the internal network.

How could we implement this without any new hardware or software ???

Any ideas?? Thanks for help.

Rene

I have this problem too.
0 votes
Correct Answer by andrew.brazier@... about 9 years 6 months ago

You might want to take a look at the NAC Framework system. If you only want to posture validate wired clients then there are no additional components to buy. If you want to go wireless you will probably need to buy a Cisco client that supports wireless. You can get the configuration guide from here:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf

I suggest you prototype it and see what you think, the nice thing is that you can deploy it on a per switchport basis so you can do all the setup on ACS without disturbing what's there already and apply it by configuring the switch.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
darpotter Mon, 07/16/2007 - 06:01

You can definately do dynamic vlan assignment with ACS. Either by group membership or a combination NAP + group + NAC status.

You can also build simple NAC policies in ACS to test AV attributes returned from the supplicant. Should be easy enough to look for virus def dates older than some limit.

rene.schmid Mon, 07/16/2007 - 07:16

hi,

thanks for this information.

have you done such a configuration already?

do you know some links or url's??

thanks

rene

stephen.stack Wed, 07/18/2007 - 11:50

Hi Rene,

I might be able to help with half of your problem. I have successfully setup MAC based authentication and dynamic vlan assignment using ACS. I have never configured any NAC policies... so i'm afraid i can't help with that.

My Config was as follows;

On the ACS server configure both the username and password the same as the PC/Laptop MAC address.

Also on the ACS server configure these options... i used Cisco ACS RADIUS(IETF) Server.

?Tunnel-Type = VLAN

?Tunnel-Medium-Type = 802

?Tunnel-Private-Group-ID = (VLANNumber)

Now globally on the switch configure this;

!

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

!

radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco

radius-server source-ports 1645-1646

radius-server deadtime 1

!

And on the interfaces configure this;

!

interface FastEthernet 0/1

switchport mode access

switchport nonegotiate

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout tx-period 2

dot1x max-reauth-req 1

spanning-tree portfast

!

Yoy may notice that i have changed the dot1x timeouts. My reason was that dot1x was taking too long to authorize the MAC address and then bring up the port (about 40 -60 seconds) (I am open to correction on this as i was only testing it last week :) ).

By reducing the dot1x timeouts the MAC was authorised and the port was brought up quicker.

HTH Please rate if it does

Stephen

Correct Answer
andrew.brazier@... Fri, 07/20/2007 - 04:49

You might want to take a look at the NAC Framework system. If you only want to posture validate wired clients then there are no additional components to buy. If you want to go wireless you will probably need to buy a Cisco client that supports wireless. You can get the configuration guide from here:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf

I suggest you prototype it and see what you think, the nice thing is that you can deploy it on a per switchport basis so you can do all the setup on ACS without disturbing what's there already and apply it by configuring the switch.

rene.schmid Fri, 07/20/2007 - 22:20

hi andrew,

thats exactly what I'm searching for....I will go one and test it with the customers equipment.

thank you

rene

rene.schmid Fri, 07/20/2007 - 22:18

hi stephen,

thanks for your message, the message after from andrew solved my problem....

I'm sorry, but there was not only MAC based authentication planed...

But thanks also for the informations with the timeout settings...

cheers

rene

stephen.stack Sat, 07/21/2007 - 01:23

No worries, Andrews post helped me out a bit in understanding NAC a bit more too. A win win all round i;d say. :)

Stephen

Actions

This Discussion