Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

ACS 5.3 Assign static IP address depending of authenticated user

Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??

Regards,

Juan Carlos Arias

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

ACS 5.3 Assign static IP address depending of authenticated user

Hello,

Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?

Regards.

14 REPLIES
Silver

ACS 5.3 Assign static IP address depending of authenticated user

Hello,

Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?

Regards.

ACS 5.3 Assign static IP address depending of authenticated user

Hello Carlos,

Would be for AD.

Regards,

Juan Carlos Arias

Silver

Re: ACS 5.3 Assign static IP address depending of authenticated

Juan Carlos,

On ACS 5.x we can get the scenario working but we need to define the Static IP Address users on the Internal ACS database as well. I have not managed to configured it on a different way.

I have handled one or two cases with this request and we always get it working as described on the attached document.

NOTE: The document refers to a RADIUS Identity Server (ACS 4.x). You can refer on your ACS to AD1 instead.

If this was helpful please rate.

Regards.

ACS 5.3 Assign static IP address depending of authenticated user

Hi Carlos,

I follow all steps from your file, but the IP address I wish to be assign it (192.168.240.29), is not, it's getting an IP address from DHCP pool (192.168.240.26).

Any idea where can I check this issue??

This is a log from Radius Authentication:

Authentication Result

User-Name=MONARCH\juancarlos.arias
Framed-IP-Address=192.168.240.29
Class=CACS:ACS-CONAPESCA/118540298/2
Tunnel-Type=(tag=1) VLAN
Tunnel-Medium-Type=(tag=1) 802
Tunnel-Private-Group-ID=(tag=1) 60

I appreciate your time.

Regards,

Juan Carlos Arias

Silver

ACS 5.3 Assign static IP address depending of authenticated user

Juan Carlos,

I am assuming this is for 802.1x wired. In that case, is the switch configured "aaa authorization network" command?

Regards.

ACS 5.3 Assign static IP address depending of authenticated user

Hi Carlos, yes, that line is configured, this is my IOS device configuration:

aaa group server radius RADIUS-Auth

server name RADIUS-8021x

!

aaa authentication enable default group RADIUS-Auth

aaa authentication dot1x default group RADIUS-Auth

aaa authorization config-commands

aaa authorization network default group RADIUS-Auth

aaa authorization auth-proxy default group RADIUS-Auth

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting dot1x default start-stop group RADIUS-Auth

aaa accounting system default start-stop group RADIUS-Auth

!

radius server RADIUS-8021x

address ipv4 192.168.240.174 auth-port 1645 acct-port 1646

key 7 0822434008090004110A

!

Silver

Re: ACS 5.3 Assign static IP address depending of authenticated

Juan Carlos,

Performing a deeper research I found the answer

"The IEEE 802.1x standard does not provide a mechanism for IP address assignment.  Therefore, configuration of the Framed-IP-Address and Framed-IP-Netmask attributes as Reply-Items in a user’s profile will have no effect. Either a DHCP server should be used, or the station should be configured with a static IP address."

The Framed-IP-Address attribute works for VPN Connections but not for 802.1x.

I hope this clarifies it.

Regards.

ACS 5.3 Assign static IP address depending of authenticated user

Bad news Carlos 

Thanks for your complete explanation and your time.

One last question, I remember that I could do this with ACS v4.2, not sure but I don't want to waste time configuring a lab with this ACS version, is this true??

Regards,

Juan Carlos Arias

Silver

ACS 5.3 Assign static IP address depending of authenticated user

Hello Juan Carlos,

ACS 4.x had the option to configure a Static IP address under the User Setup:

However, I do not remember from the top of my head if the ACS 4.x included that value under the Framed-IP Address as well which should not work on 802.1x either.

Please, mark the RFC response as correct if you feel it clarified your concern.

Regards.

ACS 5.3 Assign static IP address depending of authenticated user

Ok Carlos, thanks for your answers, I already vote at the beginning for your comments.

Regards,

Juan Carlos Arias

New Member

hi ,how can i specifiethe

hi ,

how can i specifiethe subnet  mask that i want to apply to the ip address assigned.

becuase the acs apply the default mask(the mask of the class of ip ,ex: if we give a user 10.8.8.9 as address the acs apply te mask 255..0.0.0 to it)

how can i specifie that should apply /24 mask

Silver

Re: ACS 5.3 Assign static IP address depending of authenticated

Juan Carlos,

You can find the same information on the RF for 802.1x:

http://www.rfc-editor.org/rfc/rfc3580.txt

3.7.  Framed-IP-Address, Framed-IP-Netmask

   IEEE 802.1X does not provide a mechanism for IP address assignment.
   Therefore the Framed-IP-Address and Framed-IP-Netmask attributes can
   only be used by IEEE 802.1X Authenticators that support IP address
   assignment mechanisms.  Typically this capability is supported by
   layer 3 devices.

If this was helpful please rate.

Regards.

ACS 5.3 Assign static IP address depending of authenticated user

Sorry, select wrong option, I select answer correct.  Do I have to re-open?

Silver

Re: ACS 5.3 Assign static IP address depending of authenticated

Juan Carlos,

Do not worry. Refer to the answer above

Regards.

2967
Views
10
Helpful
14
Replies
CreatePlease to create content