Authenticate Users with ACS 4.0 to use specific VLAN

Unanswered Question
Jan 26th, 2009

I have multiple wireless networks. I am building a guest wireless network. I would like to assign a guest a username password. When the guest connects to the SSID (guest network) they are prompted for username password and assigned the correct guest vlan.

I am thinking I should be able to define a unique group in ACS 4.0. The unique group will only be allowed or assigned guest vlan access. Guests to the network will be associated to the guest vlan.

I haven't been able to figure out how to associate a username account with a vlan assignment.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
rmeans Mon, 01/26/2009 - 09:30

I the found document you referenced earlier. I have read it again and researched a little more. The ACS options the doc references are available in ACS v4.1. I am running v4.0. Options such as Cisco Airspace Radius and Aironet Radius are not available in v4.0.

v4.0 has Cisco IOS Radius Attriutes (sub category - cisco-av-pair) and IETF Radius attributes. There are others but I can't help but think these categories might be used to solve my problem.

Ivan Martinon Mon, 01/26/2009 - 09:32

I believe that as long as you use Radius IETF you will be ok with using this link. Why don't you give it a shot

rmeans Mon, 01/26/2009 - 09:59

I am not sure where or how to add the vlan assignment request. There are a number of different options under the IETF section. I have attached a cut/paste of the options.

Ivan Martinon Mon, 01/26/2009 - 10:05

Ok, I think I did not explained myself.

ACS uses a type of radius to define its aaa client, in the case of using wireless controller, you would tipically define Aironet Radius type. This will enable you some of the wireless attributes. Now since your ACS does not support and contain the Aironet Wireless Radius Attributes, first you would need to define your AAA client (access point or wireless controller) with the IETF Radius client attributes.

Then using Cisco Vendor Specific Attributes you can define Vlan type and all of the attributes that the document uses.

If this is too complex or confusing, you can always contact the TAC to get assistance on this.

rmeans Mon, 01/26/2009 - 10:10

Thanks for the help. I should (and will) probably open a case.

Actions

This Discussion