cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
4
Helpful
6
Replies

Authenticate Users with ACS 4.0 to use specific VLAN

rmeans
Level 3
Level 3

I have multiple wireless networks. I am building a guest wireless network. I would like to assign a guest a username password. When the guest connects to the SSID (guest network) they are prompted for username password and assigned the correct guest vlan.

I am thinking I should be able to define a unique group in ACS 4.0. The unique group will only be allowed or assigned guest vlan access. Guests to the network will be associated to the guest vlan.

I haven't been able to figure out how to associate a username account with a vlan assignment.

6 Replies 6

Ivan Martinon
Level 7
Level 7

I think this might help you:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml

This uses the group to the vlan assignment but you can certainly assign this Guest user to a Guest Group :)

I the found document you referenced earlier. I have read it again and researched a little more. The ACS options the doc references are available in ACS v4.1. I am running v4.0. Options such as Cisco Airspace Radius and Aironet Radius are not available in v4.0.

v4.0 has Cisco IOS Radius Attriutes (sub category - cisco-av-pair) and IETF Radius attributes. There are others but I can't help but think these categories might be used to solve my problem.

I believe that as long as you use Radius IETF you will be ok with using this link. Why don't you give it a shot

I am not sure where or how to add the vlan assignment request. There are a number of different options under the IETF section. I have attached a cut/paste of the options.

Ok, I think I did not explained myself.

ACS uses a type of radius to define its aaa client, in the case of using wireless controller, you would tipically define Aironet Radius type. This will enable you some of the wireless attributes. Now since your ACS does not support and contain the Aironet Wireless Radius Attributes, first you would need to define your AAA client (access point or wireless controller) with the IETF Radius client attributes.

Then using Cisco Vendor Specific Attributes you can define Vlan type and all of the attributes that the document uses.

If this is too complex or confusing, you can always contact the TAC to get assistance on this.

Thanks for the help. I should (and will) probably open a case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: