Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACS 4.0 - NAC with Machine authentication

The first step of our NAC implementation would be to segment our network in two VLAN´s. One production network and one consultant network.

Is it possible to check the Windows XP client´s active directory domain membership and segment them only based on this information? (with no software client installed on any client)

For instance: When a client that is member of the PROD domain connects to the switch it should be redirected to the PROD-VLAN and when another client NOT belonging to the PROD domain connects it should be redirected to the Consultant VLAN.

We run ACS version 4.0 on a Windows 2003 domain controller. Our LAN is based on Catalyst 3560 and 2950 switches.

  • AAA Identity and NAC

Re: Cisco ACS 4.0 - NAC with Machine authentication


I could see several ways to achieve this.

1) Use 2 NAPs that trigger off the domain name contained in the User-Name attribute. Each NAP then assigns the appropriate VLAN.

2) Use a single NAP with the RADIUS authorisation setup to map from PROD and CONS ACS groups to Shared RACs containing the vlan ids.

Neither of these are fantastic since

1) May not work with Identity protection (where the real userid is hidden)

2) You need a way to map from domain to ACS group. Probably the only way would be to create 2 additional AD groups for each vlan then put users into one or the other. But then you'd loose other forms of group mapping (eg Admins, Consultants, Part time etc)


New Member

Re: Cisco ACS 4.0 - NAC with Machine authentication

I don't see why you should use NAC to achieve this.

You can just enable 802.1x on your clients and switches. Configure an AD database connection in your ACS and use group mappings. In the different ACS groups you can then configure different VLANs.



Re: Cisco ACS 4.0 - NAC with Machine authentication

You're right.. they dont *need* NAC - but if you re-read the posting it says they are going to implement NAC but right now they are rolling out 802.1x as a first stage.


This widget could not be displayed.