I just want to implement 802.1x authentication, to dynamically assign into differente vlans, can you help me how it should be done? What is the best method? I see the PEAP is much more complex. Initially I'm thinking about Mac-Address based, so that I create all mac-address's in ACS Server that we have, and the VLAN is assigned from there.
If your referring to VLAN assignment provided by ACS, you will need to enable Radius attributes 64,65 and 81 on the ACS. There are several links on Cisco's website to accomplish this. Hope this helps.
Is this possible for Wireless LAN also.. Guess it is not because, the user first associates with SSID/VLAN before authentication happens. Just wanted to confirm if my understanding is correct..
yes it is possible for WLAN's.
You can either use:
1) Radius SSID access control ie. once authenticated the Radius server sends the AP a list of allowed SSID's for that user. If the SSID the user used is in the list then access is granted
2) Radius vlan assignment ie. once authenticated the user is asigned to a specific vlan on the wired side of the AP. This is done via the Radius server. key thing here is that it doesn't matter what SSID is used by the user, they are always assigned to the same vlan.
Whats nice about option 1 is that users can select from any SSIDs that they are authorised for.. ie SSID hopping.
Also, different SSIDs can be secured with different auth protocols - depending on security requirements.
I'm having the same issue (as probably many others here).
We are using WLC4400 and ACS 3.3.
On the WLC we have configured 2 SSID's. One for guests, one for the Emploies.
We are using PEAP to authenticate the users (for both vlans) but want to restrict the Internal-SSID for Emploies only.
Can you please describe "exactly" what we have to configure on the ACS Server - to make this work (Version 1 would be most interresting to know)
Excerpt from Cisco doc:-
7 Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco
Secure Access Control Server Software
The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided
below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS
Software and Cisco PIX? Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or
1. Select Interface Configuration > Advanced Options; Enable ?Per-user TACACS+/RADIUS Attributes? > Click
2. Select Interface Configuration > RADIUS (IETF).
a. Enable IETF attributes 64, 65, and 81. Enable these options at both User and Group levels.
b. Click on ?Submit.?
3. Select Network Configuration:
a. Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/
PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX).
This device is needed to enable Cisco IOS/PIX attributes.
b. After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS
i. Enable the ?[026/009/001] cisco-av-pair? option. Enable this option at both User and Group levels.
ii. Click on ?Submit.?
"You want option B here"
4. Add a User (User Setup > Add/Edit).
a. To restrict user by VLAN-ID:
? Enable and set IETF 64 (Tunnel Type) to ?VLAN.?
? Enable and set IETF 65 (Tunnel Medium Type) to ?802.?
? Enable and set IETF 81 (Tunnel Private Group ID) to VLAN-ID.
Note: Use the same Tag numbers (example: Tag 1) for all the above parameters.
b. To restrict user by SSID (note: SSID is case-sensitive):
? Enable and configure Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair
? Example: ssid=LEAP_WEP
I tried it (Option B) and restrict user by SSID.
But it does not work on the wlc4402 - the user can still access the network using all SSID's.
I think its best to contact the TAC, there are numerous white paper/tutorial docs kicking around on cisco.com (most not easy to find).
The TAC should have them easily to hand.