Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 and dynamic VLANs w/ AD

I'm currently working on a proof-of-concept for 802.1x wired authentication using ACS 5.2, with Windows 2008 active directory as the identity store. 

I know how to do dynamic VLANs based on AD group membership, but is it possible to dynamically assign a VLAN to an authenticated user/machine based on an actual attribute in the AD schema?  For example, if the user's department field is set to "Engineering", they get placed in the VLAN named "Engineering".

The idea here would be that the helpdesk/operations team could simply edit the user record in AD to move them between VLANs.

Everyone's tags (5)
Cisco Employee

Re: ACS 5.2 and dynamic VLANs w/ AD

I believe this can be done as follows:

- When defining the AD you can select attributes that you want to use in either policy conditions or authorizations. Select the "department" field

- When defining an authorization profile you can define the VLAN in the common tasks. When setting the VLAN, select the Dynamic option. You will be presented with an option to select a dictionary and attribte name. Select the AD dictionary and the attribute "department"

Then when the VLAN is set the value should be taken dynamically from the department attribute in the AD record for the user

CreatePlease login to create content