×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 4.2 Wired and wireless group mapping

Answered Question
Feb 23rd, 2010
User Badges:

Hello,


User1 logs on the switch, he belongs to AD group Domain_user and get mapped on ACS Group1 wich send the radius attribut to change VLAN, that part works great.



My problem is when the same user connect with his wifi card... he is still part of the domain_user and get still mapped to group1 on acs but now, the radius values are wrong for the wireless.


Wired production vlan =20

Wireless prod vlan = 120


What i want to do is something like:

ADGroupX+Connect_type = ACS group1

ADGroupX+Connect_type2 = ACS group2


I tried using connection profile but the group mapping are not made at this level. Same goes for NAR, my user should be able to log on wired or wireless user and get the proper vlan not get restricted by the NAR.

One other avenue would be to setup a wireless user/password on the internal database and add it to the proper ACS group but that involve password management and not all 802 client support password auth ( without user intervention )

Any idea?

Correct Answer by darpotter about 7 years 5 months ago

Hi.... this scenario is exactly what Network Access Profiles (NAP) are designed to address. Essentially, NAP allows you to create a complete configuration on a per-network service basis.


So, ACS by default is a single NAP system (well I guess 2 if you include RADIUS and TACACS) where regardless of network service all RADIUS users would be assumed to be using a single device type. NAP allows you to configure per-service, the authentication protocol, group mappings and authorisations.


The first part of NAP requires you to differentiate the authentication requests for each network service. This could be as easy as using the AAA Client ip address or NDG. If thats not possible you can start looking at attributes in the RADIUS request to find attribute values that are unique to the wlan or switch.


Assuming you've managed to do that is a matter of setting up the authenticattion and authorisation policies - but the key thing is that you'll be able to send totally different sets of RADIUS attributes back to the device for the same user.


The UI can take a bit of getting used to, so read the online docs and stick with it!




www.extraxi.com for all your ACS reporting needs

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
darpotter Wed, 02/24/2010 - 03:02
User Badges:
  • Silver, 250 points or more

Hi.... this scenario is exactly what Network Access Profiles (NAP) are designed to address. Essentially, NAP allows you to create a complete configuration on a per-network service basis.


So, ACS by default is a single NAP system (well I guess 2 if you include RADIUS and TACACS) where regardless of network service all RADIUS users would be assumed to be using a single device type. NAP allows you to configure per-service, the authentication protocol, group mappings and authorisations.


The first part of NAP requires you to differentiate the authentication requests for each network service. This could be as easy as using the AAA Client ip address or NDG. If thats not possible you can start looking at attributes in the RADIUS request to find attribute values that are unique to the wlan or switch.


Assuming you've managed to do that is a matter of setting up the authenticattion and authorisation policies - but the key thing is that you'll be able to send totally different sets of RADIUS attributes back to the device for the same user.


The UI can take a bit of getting used to, so read the online docs and stick with it!




www.extraxi.com for all your ACS reporting needs

conradduval1 Wed, 02/24/2010 - 10:19
User Badges:

Thx for the quick reply.

that's what i was testing last night, in my mind i HAD to use domain groups...


what i did is ( in case someone wants to know ):


- Created  2 NDG ( one for Wired and one for wireless device )

- Created 2 NAF ( Network Access Filtering )

- Created 1 RAC ( Radius Authorization Component )

- Created 2 NAP ( Network access profiles )

     - NAP definition i added the filter created before

     - Inside the NAP, at the authorization rules level, i added the RAC created before

Works great

Wired user are getting the vlan throught the radius attributs and wireless user are getting the right vlan config.

i  added Guest vlan on my 2940 and also using MAB Feature.


Thx again

Actions

This Discussion

Related Content