1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
This is possible by using RADIUS extended attributes, to assign VLAN dynamically.. for this to work ,you need to define the radius server host & key on the switch/NAD. then enable dot1x on the switchport, to force authentication through RADIUS.. you can have a NAC client to key-in your AD username/password.. You would need to configure your RADIUS server to send vendor-specific attributes:
– Tunnel-Type = VLAN
– Tunnel-Medium-Type = 802
– Tunnel-Private-Group-ID = VLAN name or VLAN ID
refer to CCO for more info on how the ACS server is configured for sending this info... apart from this on the switch configure "radius-server host x.x.x.x auth-port 1612 key *****" and the appropriate aaa commands to force dot1x to refer to RADIUS "aaa authentication dot1x default radius"
2. A printer is connected and assigned to a printer VLan.
For printers, or any non-dot1x compliant device, its general to use MAC authentication Bypass feature.. by doing this we can make sure the ports connecting to printers use the default "Switchport access vlan " configuration on these ports.. with MAB, we add the MAC address of the printer on the ACS server (with pw as mac-address) and make sure the printer is authenticated via the switch.. if you dont want to use MAC address for bypassing dot1x, you can probably disable dot1x on such ports.. similar methodology can be adopted for Servers, which wouldnt need dot1x.. since there are few printers & servers on networks, you can disable dot1x on these ports...
3. A guest connects and is assigned to a guest VLan.
This is achieved by using the guest-vlan feature.. guests who dont have dot1x client, will be put on a seperate isolated VLAN called guest vlan.. you can create a vlan say vlan 99 on the switch for guests, and on the switchport configure "dot1x guest-vlan 99" .. this would make sure the guests are seperated and isolated.. make sure you have vlan ACLs on VLAN 99 to restrict traffic for guest users only to internet, or place them behind DMZ of firewalls... you also have "authentication failure" VLAN which you can enable for production users when they fail authentication...
Refer to this Guide.. it has all information about 802.1x on switches...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :