Scale 802.1X ACS in High Security Mode any Idea's?

ROBERT WATSON · ‎03-19-2010

Scenario

Platform ACS V 5.1.0.44

Switch 4510R with 8 48 port modules (384 ports)

802.1x authentication of the ports in High Security Mode (VLAN assignments required)

Authentication Method Cert based eap-tls to machine

we currently have 4 Data Vlans that users and assets drop into on this switch

How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?

I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.

ROBERT WATSON · ‎04-05-2010

Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's

and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)

12.2(52)SE

IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.

12.2(52)SE

3750-E, 3560-E

But then you get bit with even using VLAN assignments on large stacks

•When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.

The workaround is not use the VLAN assignment option. (CSCse22791)