802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

Unanswered Question
Aug 16th, 2010
User Badges:

Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.

If possible show:

1. ACS/Radius Configurations.

2. End User Switch Configurations


Variables:

Switch A

MAC Address aaaa.bbbb.cccc     Vlan 10

                      bbbb.cccc.dddd     Vlan 20


Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.

Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
blittrell Fri, 01/14/2011 - 07:48
User Badges:

Hi Guys,


    Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)


   So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.


   Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.


    Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.


    If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

Actions

This Discussion