Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLAN Membership with ACS

I just want to implement 802.1x authentication, to dynamically assign into differente vlans, can you help me how it should be done? What is the best method? I see the PEAP is much more complex. Initially I'm thinking about Mac-Address based, so that I create all mac-address's in ACS Server that we have, and the VLAN is assigned from there.

10 REPLIES
New Member

Re: VLAN Membership with ACS

If your referring to VLAN assignment provided by ACS, you will need to enable Radius attributes 64,65 and 81 on the ACS. There are several links on Cisco's website to accomplish this. Hope this helps.

New Member

Re: VLAN Membership with ACS

Is this possible for Wireless LAN also.. Guess it is not because, the user first associates with SSID/VLAN before authentication happens. Just wanted to confirm if my understanding is correct..

Hall of Fame Super Blue

Re: VLAN Membership with ACS

yes it is possible for WLAN's.

You can either use:

1) Radius SSID access control ie. once authenticated the Radius server sends the AP a list of allowed SSID's for that user. If the SSID the user used is in the list then access is granted

2) Radius vlan assignment ie. once authenticated the user is asigned to a specific vlan on the wired side of the AP. This is done via the Radius server. key thing here is that it doesn't matter what SSID is used by the user, they are always assigned to the same vlan.

Silver

Re: VLAN Membership with ACS

Whats nice about option 1 is that users can select from any SSIDs that they are authorised for.. ie SSID hopping.

Also, different SSIDs can be secured with different auth protocols - depending on security requirements.

Darran

New Member

Re: VLAN Membership with ACS

Hi

I'm having the same issue (as probably many others here).

We are using WLC4400 and ACS 3.3.

On the WLC we have configured 2 SSID's. One for guests, one for the Emploies.

We are using PEAP to authenticate the users (for both vlans) but want to restrict the Internal-SSID for Emploies only.

Can you please describe "exactly" what we have to configure on the ACS Server - to make this work (Version 1 would be most interresting to know)

Greetings

Jarle

Hall of Fame Super Blue

Re: VLAN Membership with ACS

Excerpt from Cisco doc:-

7 Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco

Secure Access Control Server Software

The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided

below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS

Software and Cisco PIX? Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or

SSID-list).

1. Select Interface Configuration > Advanced Options; Enable ?Per-user TACACS+/RADIUS Attributes? > Click

on ?Submit.?

2. Select Interface Configuration > RADIUS (IETF).

a. Enable IETF attributes 64, 65, and 81. Enable these options at both User and Group levels.

b. Click on ?Submit.?

3. Select Network Configuration:

a. Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/

PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX).

This device is needed to enable Cisco IOS/PIX attributes.

b. After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS

(Cisco IOS/PIX):

i. Enable the ?[026/009/001] cisco-av-pair? option. Enable this option at both User and Group levels.

ii. Click on ?Submit.?

"You want option B here"

4. Add a User (User Setup > Add/Edit).

a. To restrict user by VLAN-ID:

? Enable and set IETF 64 (Tunnel Type) to ?VLAN.?

? Enable and set IETF 65 (Tunnel Medium Type) to ?802.?

? Enable and set IETF 81 (Tunnel Private Group ID) to VLAN-ID.

Note: Use the same Tag numbers (example: Tag 1) for all the above parameters.

b. To restrict user by SSID (note: SSID is case-sensitive):

? Enable and configure Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair

? Example: ssid=LEAP_WEP

New Member

Re: VLAN Membership with ACS

Hi

I tried it (Option B) and restrict user by SSID.

But it does not work on the wlc4402 - the user can still access the network using all SSID's.

Greetings

Jarle

New Member

Re: VLAN Membership with ACS

Could this be an issue of needing ACS 4.0 to work with AireSpace Radius ?

Silver

Re: VLAN Membership with ACS

I think its best to contact the TAC, there are numerous white paper/tutorial docs kicking around on cisco.com (most not easy to find).

The TAC should have them easily to hand.

Darran

New Member

Re: VLAN Membership with ACS

Hello,

I have actually the same problem and we are using ACS 4.0

304
Views
5
Helpful
10
Replies