Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACS Radius Server a dynamic attribution of VLAN-ID

Have you got an idea of how to configure with ACS Radius Server a dynamic attribution of VLAN-ID that will depend on the location of a particular user (supplicant)that is defined in one user group i.e.

User A -(group A) Site X --- VLAN-ID-X

User A -(group A) Site Y --- VLAN-ID-Y

I think with a beta version 4.0 18 of ACS this might be possible with such functionalities like NAF-Network Access Filters and RADIUS Authorization Components (RACs) but in the user guide it is not exactly declared how to do it and what previous configuration I should do.

If you work on this subject or already done it with a beta version 4.0 don't hesitate to share your experience.

Cheers

Michal

3 REPLIES
Silver

Re: ACS Radius Server a dynamic attribution of VLAN-ID

Yes! You can do this with 4.0

Create a NAF for each site... then create two NAPs (Network Access Policies) that are basically identical except for the NAF they are based on.

..or.. if there is anything in the RADIUS access request that differentiates the two sites you wouldnt need NAFs. For example wireless APs can send a "nas-location" Cisco AV Pair. You could use this to select which NAP was activated.

In the authorisation policy for each you can map to RACs that have specific VLANs for the NAP.

Would have been nicer to have an 802.1x Shared Profile Component with a "mappable" assignment inside a single NAP - but you cant have everything!

Community Member

Re: ACS Radius Server a dynamic attribution of VLAN-ID

Thank you for your feadback.I've done it already a couple of days before and indeed we can dynamicaly assign vlan-ids according to the location of the user thanks to the RAC and NAP options in ACS 4.0 as you described it in the mail.

However in my opinion this could be done in different way to simplify the matter, cause at the beginning it is not clear how to do it with ACS. The other thing is that cisco does not promote the dynamic attribution features as an important feature of ACS . But from the other way the official version goes out in two weeks so maybe they will promote more whitepapers that threat the subject , and that's quite important if any service provider would sell it as a managed service.

Cheers

Michal

Silver

Re: ACS Radius Server a dynamic attribution of VLAN-ID

I tend to agree.. there has been a focus on implementing new features to enable NAC phase 2.

Many of them are in fact applicable outside of NAC but somewhat understandably, are receiving little attention right now.

Something that is HUGE in 4.0, is the ability to handle multi-service. in 3.x users are in a group and that group has to contain all the RADIUS config regardless of the network service (lan, wlan, dial, vpn etc) and this often is not possible. Instead customers have to use an ACS for wireless and a different one for say VPN.

Now with NAP & RAC you can define "chucks" of RADIUS config that are service rather than identity differentiated.

246
Views
0
Helpful
3
Replies
CreatePlease to create content