Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
I am assuming that you are using 802.1x to accomplish this, correct?
1) Your 2nd sentence doesn't quite make sense....However, i'll give it a shot. If you use Active Directory, you assign the users to an AD Group. You use ACS Group mappings to correlate an AD Group to a specific ACS Group. The ACS group has the RADIUS attributes which assigns the user in their respective Vlans.
2) AFAIK, there is not a limit to the number of VLAN's that can be used by RADIUS. However, remember that each users can only belong to 1 ACS Group.
Ok, I was a little hurried before, I will try to be a little clearer.
I have the hardware mentioned before, ACS 3.3 and a configured domain with AD running. I want to do 802.1x using AD for my user authentication. I have already tested the 802.1x with a few local ACS users to confirm that was working properly (so I kinda answered my first question, I used the RADIUS attributes 64, 65 & 81)
On my second question thanks for the heads-up.
I guess I do have slighty different question now. Once I have my users authenticating through the database mapping, is it possible to apply ACLs from the ACS server to the user groups or would it be better to run them directly from the switch.
Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
ip access-list extended guest
permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...