01-12-2006 07:06 AM - edited 03-03-2019 01:24 AM
Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
Thanks for any help...
Kelvin
01-12-2006 09:07 PM
I am assuming that you are using 802.1x to accomplish this, correct?
1) Your 2nd sentence doesn't quite make sense....However, i'll give it a shot. If you use Active Directory, you assign the users to an AD Group. You use ACS Group mappings to correlate an AD Group to a specific ACS Group. The ACS group has the RADIUS attributes which assigns the user in their respective Vlans.
2) AFAIK, there is not a limit to the number of VLAN's that can be used by RADIUS. However, remember that each users can only belong to 1 ACS Group.
01-13-2006 07:31 AM
Thanks for your reply.
Ok, I was a little hurried before, I will try to be a little clearer.
I have the hardware mentioned before, ACS 3.3 and a configured domain with AD running. I want to do 802.1x using AD for my user authentication. I have already tested the 802.1x with a few local ACS users to confirm that was working properly (so I kinda answered my first question, I used the RADIUS attributes 64, 65 & 81)
On my second question thanks for the heads-up.
I guess I do have slighty different question now. Once I have my users authenticating through the database mapping, is it possible to apply ACLs from the ACS server to the user groups or would it be better to run them directly from the switch.
Thanks
Kelvin
01-16-2006 02:09 PM
By ACL's, what do you mean?
01-18-2006 09:42 AM
Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
ip access-list extended guest
permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
deny ip any any
Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide