Network Access Restriction ACS 4.2

Answered Question
Sep 22nd, 2009

I've got some problems with NAR's in ACS 4.2

I have got two AD groups: 1=Wired Users, 2=Wireless Users

Wired USers = ACS group 10, Wireless Users = ACS group 20.

I want to put wired users via 802.1x in VLAN 10 on the access switches.

I want to put wireless users via 802.1x in VLAN 20 on WLC's.

A laptop is member of both AD groups (can work wired and wireless)

Problem is that user is altways authenticated in ACS group 10, because that's the first match. With AAA override, the user will always be placed in VLAN 10.

I tried to make a NAR (ip based, also tried CLI/DNIS) that permits only ip address of switches to access ACS group 10 for wired users and a NAR to permit only access from WLC and specific SSID to access ACS group 20.

When latop is wired, everything is ok, authentication is in ACS group 10, VLAN 10.

When laptop is wireless, it goes wrong. Authentication is still in ACS group 10, but fails because of NAR.

I would like the ACS to skip ACS group 10 by NAR, but continue authentication in Group 20 to correctly assign VLAN information.

How can this be achieved ?

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 4 years 6 months ago

Hi Luke,

In this case you need to set up NAP "Network Access Profile". Here you will define that if requests comes from WLC, it should be mapped to wireless user group and if it comes from wired it should go to wired group.

Check this link,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html

You need to Add profile, in the filter option choose you NAS IP address (WLC).

Then you need to set up a RAC in shared profile components, using IETF attribute no.81 (vlan number).

Finally in nAP you need to set up Authorization , choose group and map it to the RAC.

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
Correct Answer
Jagdeep Gambhir Tue, 09/22/2009 - 06:25

Hi Luke,

In this case you need to set up NAP "Network Access Profile". Here you will define that if requests comes from WLC, it should be mapped to wireless user group and if it comes from wired it should go to wired group.

Check this link,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html

You need to Add profile, in the filter option choose you NAS IP address (WLC).

Then you need to set up a RAC in shared profile components, using IETF attribute no.81 (vlan number).

Finally in nAP you need to set up Authorization , choose group and map it to the RAC.

Regards,

~JG

Do rate helpful posts

remco.gussen Tue, 09/22/2009 - 06:46

JG

At first, thank you for your reply. I don't understand it actually what you are writing.

In my situation there are 4 AD groups:

- 1: Wired-Users (ACS Group 20)

- 2: Wireless-Users1 (ACS Group 128)

- 3: Wireless-Users2 (ACS Group 130)

- 4: Wireless-Users3 (ACS Group 132)

All 1200 laptops are in AD Group 1

400 laptops are in AD Group 2

400 laptops are in AD Group 3

400 laptops are in AD Group 4

When connecting my laptop to the wired network, the laptop will be authenticated by ACS Group 20. ACS assigns a VLAN Id of 20. That is ok.

When connecting my laptop to the wireless network, the laptop will still be authenticated in ACS group 20. ACS wants to send VLAN ID 20 to WLC. WLC does'n know VLAN ID 20 and puts all the wireless clients in VLAN 128 (the dynamic interface linked to WLAN). What i want is that the wireless attempts are done by Group 128, 130 or 132. Not by Group 20. I tried to use NAR's, but without success.

Maybe you can give me some good advice ?

Thanx a lot !

Jagdeep Gambhir Tue, 09/22/2009 - 07:22

NAR will not help in this case. We need to set up NAP.

Did you check that link in my last post? Would it be possible of you to open a TAC case?

That way it would be easier for us to guide you through the configuration.

Regards,

~JG

Do rate helpful posts

remco.gussen Wed, 09/23/2009 - 01:20

JG

Thanx a lot for the reply. I did read the document this morning. Things became clear to me. Did some experimentation and some test and Voila ! Problem solved !

Thanx again..

Regards

Remco

Actions

Login or Register to take actions

This Discussion

Posted September 22, 2009 at 12:56 AM
Stats:
Replies:5 Avg. Rating:4
Views:778 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard