Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
0
Helpful
4
Replies

Using ACS for VLAN assignment

k.alleyne
Level 1
Level 1

‎01-12-2006 07:06 AM - edited ‎03-03-2019 01:24 AM

Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.

1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?

2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.

I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.

Thanks for any help...

Kelvin

Labels:
0 Helpful
4 Replies 4

Darthkim_2
Level 1
Level 1

‎01-12-2006 09:07 PM

I am assuming that you are using 802.1x to accomplish this, correct?

1) Your 2nd sentence doesn't quite make sense....However, i'll give it a shot. If you use Active Directory, you assign the users to an AD Group. You use ACS Group mappings to correlate an AD Group to a specific ACS Group. The ACS group has the RADIUS attributes which assigns the user in their respective Vlans.

2) AFAIK, there is not a limit to the number of VLAN's that can be used by RADIUS. However, remember that each users can only belong to 1 ACS Group.

0 Helpful

k.alleyne
Level 1
Level 1
In response to Darthkim_2

‎01-13-2006 07:31 AM

Thanks for your reply.

Ok, I was a little hurried before, I will try to be a little clearer.

I have the hardware mentioned before, ACS 3.3 and a configured domain with AD running. I want to do 802.1x using AD for my user authentication. I have already tested the 802.1x with a few local ACS users to confirm that was working properly (so I kinda answered my first question, I used the RADIUS attributes 64, 65 & 81)

On my second question thanks for the heads-up.

I guess I do have slighty different question now. Once I have my users authenticating through the database mapping, is it possible to apply ACLs from the ACS server to the user groups or would it be better to run them directly from the switch.

Thanks

Kelvin

0 Helpful

Darthkim_2
Level 1
Level 1
In response to k.alleyne

‎01-16-2006 02:09 PM

By ACL's, what do you mean?

0 Helpful

k.alleyne
Level 1
Level 1
In response to Darthkim_2

‎01-18-2006 09:42 AM

Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.

I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.

ip access-list extended guest

permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1

permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254

permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53

deny ip any any

Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

0 Helpful
Customers Also Viewed These Support Documents