Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic VLAN Assignement via ACS and Active Directory

Hi Everybody,

Is it possible to manage IETF Radius Attributes for a user or a user group in a Windows Active Directory Database in the case of an installation of Cisco Secure ACS v3.2 with an externally user database (Active Directory).

My Idea is to manage only one user database (active directory) to assign a user a VLAN in Wireless technology (Radius Attributes 64,65 and 81).

What else do I have to configure in ACS (than the externally user database) or in Active Directory ?


New Member

Re: Dynamic VLAN Assignement via ACS and Active Directory


I have just had the opportunity to deploy this very scenario.

Yes, as you say, you need IETF Radius Attributes 64,65 and 81 enabled for Groups. The you need under Interface Configuration, Advanced options to makes rue that you have ticked the following:

Per User Tacacs+/Radius Attributes

User Level Network Access Restrictions#

Group Level Shared Network Access Restrictions

Group Level Network Access Restrictions

Then the 64,65, and 81 Attributes show up in the Group Setup section. Check these and then for either Tag 1 or Tag 2 (you can change the default to see more tags) choose, VLAN, 802 and then a VLAN ID number in each respective section. Do this for each VLAN group you want to deploy.

Then, External User Databases, Unknown User Policy, check external databases to verfiy your domain/s AD, then in Database group mappings, create a profile for each of your domains, assigning a particular NT/2000 user group/groups to a particular ACS group, which tne maps to a particular VLAN (the Radius attributes stuff above)

That should just about do it!

CreatePlease login to create content