Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1661
Views
0
Helpful
1
Replies

802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

dimzaaaaa
Level 1
Level 1

‎08-16-2010 09:16 PM - edited ‎03-10-2019 05:20 PM

Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.

If possible show:

1. ACS/Radius Configurations.

2. End User Switch Configurations

Variables:

Switch A

MAC Address aaaa.bbbb.cccc     Vlan 10

                      bbbb.cccc.dddd     Vlan 20

Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.

Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .

Labels:
0 Helpful
1 Reply 1

blittrell
Level 1
Level 1

‎01-14-2011 07:48 AM

Hi Guys,

    Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)

   So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.

   Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.

    Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.

    If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents