07-16-2007 02:52 AM - edited 03-10-2019 03:16 PM
Hi Guys,
a customer wants to implement dynamic vlan assignment with 802.1x. The customer has the following equipment, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, many Cisco Switches and Routers.
Now the questations are, can we implement dynamic vlan assignment without a nac appliance and the customer also wants to decide between clients with actual antivirus signatures and clients with old signatures. Older clients should only have access to the antivirus server and update the signature and if everything is ok, than have access to the internal network.
How could we implement this without any new hardware or software ???
Any ideas?? Thanks for help.
Rene
Solved! Go to Solution.
07-20-2007 04:49 AM
You might want to take a look at the NAC Framework system. If you only want to posture validate wired clients then there are no additional components to buy. If you want to go wireless you will probably need to buy a Cisco client that supports wireless. You can get the configuration guide from here:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf
I suggest you prototype it and see what you think, the nice thing is that you can deploy it on a per switchport basis so you can do all the setup on ACS without disturbing what's there already and apply it by configuring the switch.
07-16-2007 06:01 AM
You can definately do dynamic vlan assignment with ACS. Either by group membership or a combination NAP + group + NAC status.
You can also build simple NAC policies in ACS to test AV attributes returned from the supplicant. Should be easy enough to look for virus def dates older than some limit.
07-16-2007 07:16 AM
hi,
thanks for this information.
have you done such a configuration already?
do you know some links or url's??
thanks
rene
07-18-2007 11:50 AM
Hi Rene,
I might be able to help with half of your problem. I have successfully setup MAC based authentication and dynamic vlan assignment using ACS. I have never configured any NAC policies... so i'm afraid i can't help with that.
My Config was as follows;
On the ACS server configure both the username and password the same as the PC/Laptop MAC address.
Also on the ACS server configure these options... i used Cisco ACS RADIUS(IETF) Server.
?Tunnel-Type = VLAN
?Tunnel-Medium-Type = 802
?Tunnel-Private-Group-ID = (VLANNumber)
Now globally on the switch configure this;
!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
dot1x system-auth-control
!
radius-server host 172.16.0.1 auth-port 1645 acct-port 1646 key cisco
radius-server source-ports 1645-1646
radius-server deadtime 1
!
And on the interfaces configure this;
!
interface FastEthernet 0/1
switchport mode access
switchport nonegotiate
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
dot1x max-reauth-req 1
spanning-tree portfast
!
Yoy may notice that i have changed the dot1x timeouts. My reason was that dot1x was taking too long to authorize the MAC address and then bring up the port (about 40 -60 seconds) (I am open to correction on this as i was only testing it last week :) ).
By reducing the dot1x timeouts the MAC was authorised and the port was brought up quicker.
HTH Please rate if it does
Stephen
07-20-2007 04:49 AM
You might want to take a look at the NAC Framework system. If you only want to posture validate wired clients then there are no additional components to buy. If you want to go wireless you will probably need to buy a Cisco client that supports wireless. You can get the configuration guide from here:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf
I suggest you prototype it and see what you think, the nice thing is that you can deploy it on a per switchport basis so you can do all the setup on ACS without disturbing what's there already and apply it by configuring the switch.
07-20-2007 10:20 PM
hi andrew,
thats exactly what I'm searching for....I will go one and test it with the customers equipment.
thank you
rene
07-20-2007 10:18 PM
hi stephen,
thanks for your message, the message after from andrew solved my problem....
I'm sorry, but there was not only MAC based authentication planed...
But thanks also for the informations with the timeout settings...
cheers
rene
07-21-2007 01:23 AM
No worries, Andrews post helped me out a bit in understanding NAC a bit more too. A win win all round i;d say. :)
Stephen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide