Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS 5.3 Newbie

Hi Guys,

I am looking at setting up a Cisco ACS 5.3 for MAC address based VLANs on a 2960 switch.

as anyone done this before? Basiacally what I want is

1. Have a list of devices specified in the ACS with their MAC address

2. Connect the swicth to the ACS

3. When a device is plugged in, the swicth should check with the ACS onto whcih VLAN the host should be on,

Thanks.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco ACS 5.3 Newbie

In ACS you should configure to authenticate using "Internal Hosts" (which is the mac address database) and to authorize by using "authentication profiles" (this is where you configure what VLAN to use)

If you are starting I will recommend you to test only authentication. Then if everything is all right you can add the authorization.

ON the switch side you will need to configure something like this

      

aaa new-model


radius-server host x.x.x.x key PASSWORD
radius-server vsa send authentication

aaa group server radius ACS
server x.x.x.x
!
!
aaa authentication dot1x default group ACS
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS

interface GigabitEthernetX/X
  mab
  authentication order mab
  authentication port-control auto
  dot1x pae authenticator


Please rate if it helps

7 REPLIES

Cisco ACS 5.3 Newbie

I guess that step 2 should say "connect the host to the switch".

Please could you be more specific on what you're trying to achieve ?

New Member

Cisco ACS 5.3 Newbie

Hi,

Effectively what I want is to have a list of known device(laptops/desktops) mac addresses stored on the ACS.

When a device is connected to a switch it should talk to the ACS and check if the mac address is known. The ACS should also tell the switch which VLAN to put it into.

Does this make sense?

I am not sure how to make the switch talk to ACS when a device is plugged into a port.

Re: Cisco ACS 5.3 Newbie

In ACS you should configure to authenticate using "Internal Hosts" (which is the mac address database) and to authorize by using "authentication profiles" (this is where you configure what VLAN to use)

If you are starting I will recommend you to test only authentication. Then if everything is all right you can add the authorization.

ON the switch side you will need to configure something like this

      

aaa new-model


radius-server host x.x.x.x key PASSWORD
radius-server vsa send authentication

aaa group server radius ACS
server x.x.x.x
!
!
aaa authentication dot1x default group ACS
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS

interface GigabitEthernetX/X
  mab
  authentication order mab
  authentication port-control auto
  dot1x pae authenticator


Please rate if it helps

New Member

Cisco ACS 5.3 Newbie

Thanks,

I cant see what youhave posted about the switch though.

New Member

Re: Cisco ACS 5.3 Newbie

Ok got it working to a certain extent.

I have internal hosts and I have managed to get them to get network access with an Authorization Profile which gives them access and puts them in a VLAN

Next question is how can I get different host groups to use different Authorization profiles?

New Member

Re: Cisco ACS 5.3 Newbie

Ok got it working to a certain extent.

I  have internal hosts and I have managed to get them to get network  access with an Authorization Profile which gives them access and puts  them in a VLAN

Next question is how can I get different host groups to use different Authorization profiles?

New Member

Re: Cisco ACS 5.3 Newbie

Thanks Mate,

Looking at the switch I dont apper to have the mab command in interfaces..

It comes up on some other switches though.

I have also not been able to see where to link " authentication profiles" to "hosts"

1054
Views
0
Helpful
7
Replies
CreatePlease to create content