Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS Authentication- per username via AD

Hello All,

we have in our network ACS Server 5.3 and we use cisco port based authentication

we store all MAC Address in our ACS Server we user Per Host Authentication

So If any PC or Laptop Connected to any Switch the Switch ask the ACS Server for his MAC if he find the MAC Address in ACS this PC connected to inside VLAN if he does not find this MAC in ACS Server Database, the Switch Connected this Host to Guest vlan

---------

our Switch Config is :

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

!

!

aaa session-id common

clock timezone CET 2

system mtu routing 1500

ip subnet-zero

dot1x system-auth-control

interface GigabitEthernet0/1

switchport mode access

authentication event no-response action authorize vlan 20

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout quiet-period 15

dot1x timeout tx-period 3

no cdp enable

spanning-tree portfast

adius-server host 192.168.10.10 auth-port 1645 acct-port 1646 key xxxxxx

----------------------

Know I need to ask:

we need to make this Authentication via Active Directory

but we the same processing

Mean the user need to access any PC in Domain with Username and PW

if the ACS find this user in AD Database the user have access to inside VLAN

if ACS does not find than the Switch or ACS send this User to Guest vlan

can I make this Authentication per username

thank you for help

AHA

2 REPLIES
Community Member

ACS Authentication- per username via AD

Please did anyone have any idea !!!

Cisco Employee

ACS Authentication- per username via AD

Since there is no order/priority set so by-default it attempts dot1x first and then mab. The workstation that requests access to the LAN,  and responds to requests from the switch. The workstation must be  running 802.1X-compliant client software.

Could you please share the 802.1x settings from your pc connected behind the switch port.

I'd also like see debugs from the switch:

debug dot1x all

debug radius

show authen session interface GigabitEthernet0/1

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
244
Views
0
Helpful
2
Replies
CreatePlease to create content