NAC L2 OOB Auth and Access VLAN

Unanswered Question
Jun 5th, 2008

I'm new to Cisco NAC appliance.

I wanted to deploy L2 OOB VGM for my wired userd.

I wanted to check whether can I have multple Authentication to Access VLAN mapping.

For example :

Authentication VLAN - 111 Map to Trusted VLAN 311


Authentication VLAN - 112 Map to Trusted VLAN 312

Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.

Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bwilmoth Wed, 06/11/2008 - 12:16

Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:

Choose Management > Auth Servers and select Auth Type to Active Directory SSO.

Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.

Choose User Management > User Roles, select the role (vencorp) and click Edit.

Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).

Save the role.

Choose Switch Management > Profiles > Port > List and click Edit for the control profile.

Change the Access VLAN to User Role VLAN and click Update.

Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

ntmak Wed, 06/11/2008 - 15:03

I wanted to avoid role-base mapping. This is because my organisation contains different type of users and they are differential on the network by allocated in different user VLAN. Another requirement is to ahve only one ip addressing scheme for each Auth VLAN to Access VLAN assignment. If I use role-base mapping I shall have to bounch the port or perform a ipconfig /release or /renew.

I wanted to know whether can I have multple Authentication to Access VLAN mapping.

Another question:

If my NAC server license can only accomodate 500 users. What happen to the 501 user who is trying to log in ?


This Discussion