Role based vlan assignment using Certificates

Unanswered Question
Oct 28th, 2008

Hi everyone,

I wanted to know whether the following scenario is possible.

a person comes into the office and he plugs in his laptop to the docking station.As soon as the pc is on his pc is authenticated using the certificate installed in his pc.and then now for the vlan assignment he will be prompted for his credentials, as soon as he enter his credentials he will be automatically assigned to some vlan according to his credentials..

i know that both are possible with ACS authentication of pc with a certificate and the assignment of the vlan according to the user credentials..i want to know whether both are possible simultanously..

here what i will use is dot1x EAP-TLS and dot1x md5..can i use both together to achive what i have mentioned above..if possible.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
guibarati Wed, 10/29/2008 - 09:03

Let me see if I understand you. You want the certificate to be used only to domain authentication but the Vlan to be assigned based on user authentication?

jhillend Wed, 10/29/2008 - 10:36

Configuring the EAP protocols is global, even with a network access profile. You will have to configure both EAP-TLS and EAP-MD5. ACS is not able to distinguish between a machine auth and user auth. You can force EAP-MD5 for the user within your supplicant.

My suggestion is to put devices into one group and users into another, or others. Then, based on group membership, assign the appropriate vlan.

sr2623235 Wed, 10/29/2008 - 12:34

so is there any way that i can acheive this scenario..

here at my client site they have provided users with laptop with docking stations on their users comein and put their laptop on to the docking station and stats the problem is that recently one of the users bought his laptop and plugged in his laptop and started working and management got notice of it..then the manager decided to authenticate the laptop before they are into the network....the problem is that users will be moving around to different places as they will be having meeting, auditing and other my goal is to acheive both laptop and the users authenticated and put them in proper vlans when they authenticate...

please suggest me what that i should do if i have to achevie this goal...

Thanks for you prevous replies.....i appreciate it....


This Discussion