Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Dot1x -> WLC -> ACS -> Windows profiling

Hello,

Does anyone have any experience with the following setup:

We want users to authenticate thru Dot1x with their Windows credentials.  The RADIUS server for dot1x will be ACS that uses Windows DC for authentication.  Then we would like for the ACS to grab a role based on DC OU, group, etc and send that back to the WLC for profiling?

Sounds crazy I know but I think it can be done with an ISE server but we don't want to buy that if we don't have to. Can this be possible with just ACS?

Thanks!

5 REPLIES

Dot1x -> WLC -> ACS -> Windows profiling

When you say "grab a role" are you looking to use that role to push down an attribute?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Dot1x -> WLC -> ACS -> Windows profiling

Sorry if I am being confusing but here's what I'd like to do:

If someone from an ITAdmin group on Win DC signs onto wireless, I'd like that to be passed to ACS and then passed to WLC for profiling and be assigned to certain VLAN/subnet.

Dot1x -> WLC -> ACS -> Windows profiling

ok, we can do something with that, easily enough.

on your ACS you need to build a group for IT, in it's AAA attributes you want to return 64/65/81 VLAN/802/< vlan ID>

rinse repeat for the other groups.

On the WLC, you need to create the VLAN interfaces, and set the WLAN to have AAA override enabled.

Now when a user gets authenticated, the ACS will pass back the attributes to assign the user to the appropriate VLAN.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#Rserver1

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Dot1x -> WLC -> ACS -> Windows profiling

Thank you so much for your reply.

So you would have to create all of the groups on the ACS itself?  It couldn't pull some attributes from the DC/LDAP server and classify that way?

Hall of Fame Super Silver

Dot1x -> WLC -> ACS -> Windows profiling

You don't have to create any group on ACS... You create policies that define if user is part of group X, here is its vlan, etc.  It's the polices that the Radius will send back to the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
678
Views
0
Helpful
5
Replies
CreatePlease to create content