Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

Mac Address Bypass

I am using ACS 5.4 and am trying to use groups to distinguish between two different types of host in order to specify vlan allocation per group.  e.g. I want a group for Laptops and a group for Printers.  Neither will be passing 802.1x (although I know the laptop can) and so I want to be able to say that if a particular host is an a specific group then add it to the specific vlan. Each device is added on the ACS as a host using its MAC Address for identification.

So far I have created identity groups for Laptops and Printers and added the hosts in appropriately.

I have an authorisation profiles for laptops and a separate one for printers.   Each one simply specifies the vlan required.

With access policies I have create an Access Service for laptops and another one for printers.

Under the service selection rules I have created a separate rule for each which match Protocol = Radius and match UseCase=Host Lookup and based on this the result points to the respective Service.   However I think this is where my problem is. Both the laptop and printer use the same 2 sets of criteria and because the printers rule is higher then it's rule is taken, so my laptop ends up in the printers vlan.

Is there a way to configure the service selection so it can identify whether my device is either a laptop or printer and therefore make the correct decision on which service to select ?


CreatePlease to create content