802.1x with dACL - invalid attribute prefix: "ACS"

Similar Messages

• Getting invalid-attribute-value Error during Delta Import on Call-based ECMA2

  I'm developing an ECMA2 MA to which supports delta imports.  I have found very few samples of working code to do delta imports, so my attempts are created
  using a lot of trial and error... Any samples of working Call based MA's with delta support would be much appreciated :-)
  The data is located in a SQL server and the schema (for delta) is like this (simplified):
  EmpID string
  Status string
  UPDATESTATUS string (<-- This is the update column with values New/Update/Delete)
  For each EmpID, there may be multiple Status values, i.e. Status should be imported into a multi value attribute in FIM.
  For the full import this is working as expected, but I run into issues when attempting to do the delta imports
  The code for the delta import
  private
  GetImportEntriesResults GetImportEntries_Delta(GetImportEntriesRunStep importRunStep)
  GetImportEntriesResults importReturnInfo;
  List<CSEntryChange> csentries =
  new List<CSEntryChange>();
  string employeeID =
  null;
  string appStatus =
  null;
  string currEmployeeID =
  CSEntryChange csentry =
  null;
  List<string> appStatusList =
  new List<string>();
  string changeMode =
  for (int i = currentReadRecord; i <= da.Tables["AppStatus"].Rows.Count - 1; i++)
  if (currEmployeeID != da.Tables["AppStatus"].Rows[i].ItemArray.GetValue(0).ToString().Trim())
  if (currEmployeeID !=
  "") // this should be true except for the first run
  csentry.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("IdentityStores", appStatusList));
  csentries.Add(csentry);
  appStatusList = new
  List<string>();
  if (csentries.Count >= m_importPageSize)
                currentReadRecord = i;
  importReturnInfo = new
  GetImportEntriesResults();
  importReturnInfo.MoreToImport = (i <= da.Tables["AppStatus"].Rows.Count - 1);
  importReturnInfo.CSEntries = csentries;
  return importReturnInfo;
  changeMode = da.Tables["AppStatus"].Rows[i].ItemArray.GetValue(2).ToString().Trim();
  csentry = CSEntryChange.Create();
  csentry.ObjectType = "ApplicationIdentity";
  employeeID = da.Tables["AppStatus"].Rows[i].ItemArray.GetValue(0).ToString().Trim();
  currEmployeeID = (string)employeeID;
  switch (changeMode)
  case "New":
  csentry.ObjectModificationType = ObjectModificationType.Add;
  csentry.AttributeChanges.Add(AttributeChange.CreateAttributeAdd("EmployeeID", employeeID));
  break;
  case "Update":
  csentry.ObjectModificationType = ObjectModificationType.Update;
  csentry.DN = employeeID;
  break;
  case "Delete":
  csentry.ObjectModificationType = ObjectModificationType.Delete;
                       csentry.DN = employeeID;
  break;
  default:
  throw new
  UnexpectedDataException(string.Format("Unknown modification type: {0}", changeMode));
  appStatus = da.Tables["AppStatus"].Rows[i].ItemArray.GetValue(1).ToString().Trim();
  appStatusList.Add(appStatus);
  // save the last object
  if (csentry != null)
  csentry.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("IdentityStores", appStatusList));
  csentries.Add(csentry);
  importReturnInfo = new
  GetImportEntriesResults();
  importReturnInfo.MoreToImport = false;
  importReturnInfo.CSEntries = csentries;
  return importReturnInfo;
  The code compiles and executes, but the delta import fails with the "invalid-attribute-value" message per csentry.
  From the eventlog I have the following message
  The server encountered an unexpected error while performing an operation for a management agent.
  "System.InvalidCastException: Unable to cast object of type 'System.Collections.Generic.List`1[System.String]' to type 'System.String'.
     at Microsoft.MetadirectoryServices.Impl.Ecma2ConversionServices.AddAttributeToDImage(CDImage* pdimage, String attributeName, AttributeModificationType
  attributeModificationType, IList`1 attributeValueChanges, Int32 escapeReferenceDNValues)
     at Microsoft.MetadirectoryServices.Impl.Ecma2ConversionServices.ConvertToDImage(CSEntryChange csEntryChange, CDImage** ppDImage, Int32 escapeReferenceDNValues)
     at Microsoft.MetadirectoryServices.Impl.ScriptHost.InvokeExtMA_ImportEntry(UInt32 cBatchSize, UInt16* pcszCustomData, UInt32 cFullObject,
  _OCTET* rgoctFullObject, UInt32* rgomodt, UInt32* pcpcszChangedAttributes, UInt16*** prgpcszChangedAttributes, Int32 fIsDNStyleNone, UInt16** ppszUpdatedCustomData, _OCTET* rgoctCSImage, Int32* rgextec, UInt16** rgpszErrorName, UInt16** rgpszErrorDetail, Int32*
  pfMoreToImport)"
  To me it seems as if FIM is unable to process the List of strings that is returned when processing the delta. Remember that this works OK when doing the full import. 
  Do you have any suggestions as to why this fails?
  Kjetil

  Hi,
  Thank you Søren! I got some good clues for the right direction from your answer. If anyone would be looking same answers the correct solution would be down below. I hope it would be help for someone else too.
  Get-Shema.ps1
  $obj
  = New-Object
  -Type PSCustomObject
  $obj
  | Add-Member
  -Type NoteProperty
  -Name "Anchor-Id|String"
  -Value 1
  $obj
  | Add-Member
  -Type NoteProperty
  -Name "objectClass|String"
  -Value "user"
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "IsLicensed|Boolean"
  -Value $true
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "FirstName|String"
  -Value ""
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "LastName|String"
  -Value ""
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "mail|String"
  -Value ""
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "immutableId|String"
  -Value ""
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "DisplayName|String"
  -Value ""
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "UsageLocation|String"
  -Value ""
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "ProxyAddresses|String[]"
  -Value ("","")
  $Obj
  | Add-Member
  -Type NoteProperty
  -Name "Licenses|String[]"
  -Value ("","")
  $obj
  Import.ps1
  #Always pass objects as hash table in pipeline
  foreach ($User
  in $Users)
  $obj = @{}
  $obj.Add("Id",
  $User.UserPrincipalName)
  $obj.Add("objectClass",
  "user")
  $obj.Add("IsLicensed",
  $User.IsLicensed)
  $obj.Add("FirstName",
  $User.FirstName)
  $obj.Add("LastName",
  $User.LastName)
  $obj.Add("mail",
  $User.UserPrincipalName)
  $obj.Add("immutableId",
  $User.immutableId)
  $obj.Add("DisplayName",
  $User.DisplayName)
  $obj.Add("UsageLocation",
  $User.UsageLocation)
  $obj.Add("ProxyAddresses", ($User.ProxyAddresses
  -ne ""))
  $obj.add("Licenses", ($User.Licenses.AccountSkuId))
  $obj
  Marti

• ACS 5.4 with DACL over wireless and wired network

  Hi my name is Ivan, I have a question
  I have a deployment in my network wired at this way:
  Profile 1: corporate's users are working with 802.1X to authenticate computers and users with eap peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to the Active Directory.
  Profile 2: Telephonies IP authenticate with MAB. All the Mac Address are registered in to the ACS locally.
  Profile 3: user guest authenticate with portal web from Cisco Wireless Lan Controller over the wired network, and the account exist in to the WLC Lobby Ambassador
  A my deployment in the wireless network is in this way:
  Flex Connect with central authentication and local switching to connect 15 sites over the wan network.
  SSID 1: users corporate working with 802.1X to authenticate users with peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to Active Directory.
  SSID 2: users guest working with portal web from Cisco Wireless Lan Controller over the wireless network, and the account exist in to the WLC Lobby Ambassador.
  I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.
  How can I do it to my scenary?
  Please could you help me?
  Regards
  Ivan.

  Hello. To avoid confusion, let's divide the WLC based upon the operating system.
  There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.
  There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).
  IOS-XE fully support DACL. On the other hand AirOS support DACL partially.
  From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because  you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.
  On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.
  It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.
  Best regards

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy

• 802.1x with alcatel phone with cisco acs 5.0

  Hi All, can any one  has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
  when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
  Thanks

  Hi,
  Did you find any solution?. Did you tried with the command switchport voice vlan?.
  Regards,
  Mauricio

• 871 802.1x with vlan assignment aka dynamic vlan

  you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
  I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
  Using 12.4(6)T advanced IP.
  I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
  Has anybody got this to work? Any info much appreciated
  Greg Turner

  SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
  802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
  SNMPv3 is supported.
  HTH
  Andy

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• Wireless 802.1x with Window 7

  I have a WLC 6.0,  ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication.   The clients are using Windows 7 to connect to wireless.     To get the clients connected they have to go into there network properties if the wireless card,  configure the client to use PEAP,  uncheck validate server certificate, and also uncheck use computer name to login into windows.  This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password.    The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect.  If wireless could also be setup to use  there windows username and password   would be a bonus.  I'm basically looking for a solution that is simple but is also secure as well.  I know that's an oxymoron.   Is there anything I could do to make the wireless process simpler.  Either by going with a different security authentication or by doing something different on the clients computers.   Thanks for any help and suggestions. 

  This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
  The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  https://sourceforge.net/projects/su1x/
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
  Features include:
  - Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
  - Can set EAP credentials without additional user interaction (avoids tooltip bubble)
  - Installation of a certificate (silent)
  - Checks for WPA2 compatibility and falls back to a WPA profile
  - Third party supplicant check -SSID removal and priority setting
  - Support tab: (checks: adapter, wzc service, profile presence, IP)
  - Outputs check results to user with tooltip and/or to file
  - Printer tab to add/remove networked printer
  This tool is very cleverly written by Gareth Ayres at Swansea University

• CRS-5008: Invalid attribute value: ce0 for the network interface

  Hi all,
  we try to install grid infrastructure 11GR2 (11.2.0.1) into Solaris Zone with shared network interface.
  We also modified scirpt racgvip, so it will be able to login (via ssh with key authorization) to the global zone and add or remove interface on zone. Script itself works fine.
  But it seems that orarootagent some how checks the interface, and returned error.
  In the log of the orarootagent I can see error:
  2010-10-01 21:38:49.573: [ AGFW][9] CHECK initiated by timer for: ora.net1.network sapdr2db2 1
  2010-10-01 21:38:50.473: [ora.net1.network][17] [check] NetworkAgent::checkLink returned false
  2010-10-01 21:38:50.474: [ora.net1.network][17] [check] NetInterface::sGetIpAddress {
  2010-10-01 21:38:50.474: [ora.net1.network][17] [check] netInterfaceName empty.
  2010-10-01 21:38:50.474: [ora.net1.network][17] [check] NetInterface::sGetIpAddress }
  2010-10-01 21:38:50.474: [ AGFW][17] check for resource: ora.net1.network sapdr2db2 1 completed with status: OFFLINE
  2010-10-01 21:38:50.476: [ AGFW][17] Executing command: check for resource: ora.net1.network sapdr2db2 1
  2010-10-01 21:38:50.477: [ora.net1.network][17] [check] NetworkAgent::init enter {
  2010-10-01 21:38:50.478: [ora.net1.network][17] [check] Checking if ce0 Interface is fine
  2010-10-01 21:38:50.479: [ora.net1.network][17] [check] NetInterface::scheckNetInterface returned 0
  2010-10-01 21:38:50.480: [ora.net1.network][17] [check] CRS-5008: Invalid attribute value: ce0 for the network interface
  2010-10-01 21:38:50.480: [ora.net1.network][17] [check] NetworkAgent::init exit }
  2010-10-01 21:38:50.480: [ora.net1.network][17] [check] NetInterface::scheckNetInterface returned 0
  2010-10-01 21:38:50.480: [ora.net1.network][17] [check] NetworkAgent::checkInterface returned false
  Does anybody know how the orarootagent checks for the network resource?
  It seems that there are some procedures (NetworkAgent::checkLink, NetInterface::sGetIpAddress) inside it. But the problem is that this file is binary.
  Or may be there are some ways to track how orarootagent checks?

  >
  2010-10-18 18:11:07.589: [ora.net1.network][9] {0:2:8} [check] Checking if ce0 Interface is fine
  2010-10-18 18:11:07.589: [ora.net1.network][9] {0:2:8} [check] NetInterface::scheckNetInterface returned 0
  2010-10-18 18:11:07.590: [   AGENT][9] {0:2:8} UserErrorException: Locale is
  2010-10-18 18:11:07.591: [ora.net1.network][9] {0:2:8} [check] CRS-5008: Invalid attribute value: ce0 for the network interface
  >
  Is there anything I can do with it? Will appreciate any help!Is ce0 a valid interface on the machine? (has the global zone done "ifconfig ce0 plumb"?)
  Is the zone correctly configured (check output of the export sub-command of zonecfg)?
  --Sowmini                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• 802.1x with the 6901 IP Phones

  Hello Experts,
  We  are testing the 802.1x with the 6901 IP Phones. And we can see on ACS  "EAP Session Timeout" In the logs, and cansee that the EAP Username used  by the phone is CP-6901-SEPB8BEBF220041.
  How ever following issues are stopping us to deploy it fully.
  How to enter password in IP Phone since It does not have LCD screen.
  Wetried IVR option, but it gives pin as an option, Is this Pin used as passwordfor 802.1x authentication.
  Dowe use any default password for this to work.
  Thanks in advance for the help.
  Regards
  Ronak Patel

  Overall, you need to try and deal with the fact that a machine can disappear from the network and the network may not know about it directly (i.e. Link doesn't go down).
  I have no idea what other phones do, but Cisco phones send an EAPOL-Logoff when something is unplugged. This lets the switch know directly, and 1X session start is torn down immediately, closing what would be a security hole.
  Fundamentally, re-auth is a workaround only, and this is not the reason to enable re-auth to begin with.
  If your phone doesn't send an EAPOL-Logoff in this case, the switch might be left thinking an attack is underway when someone else tries to plug in (with presumably a different MAC). You do NOT want this to occur.
  Hope this helps,

• 802.1x with Switch SRW2024-Web

  Hi@all,
  i want to implement a port based NAC with Windows Server 2008 NPS acting as RADIUS and some Linksys/Cisco SRW2024 - WebView Switches, using EAPoL and MD5-Auth.
  (SRW2024: http://www.cisco.com/en/US/products/ps9989/index.html)
  I am able to authenticate any Supplicant and open the port on the switch. But i've a probem with de VLAN-ID.
  I only wan't to authenticate the user on the Switch-Port. All incoming traffic is unttaged an the Switch should tag the frames with configured PVID in Access Mode. But the switch doesn't either tag with configured PVID nor tag with the RADIUS-attributs:
  Tunnel-Type -> VLAN
  Tunnel-Medium-Type -> 802
  Tunnel-Privat-Group-ID -> <VLAN-ID>
  anyone an idea, what i'm doing wrong?

  Well, i don't understand the world anymore....after the switch was accepting the radius-attributes,
  i removed the radius-attributes again...since that, the configured PVID in access-mode are working also.
  sometimes these switches driving me crazy.

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• 802.1x with wireless - pls help :(

  I am trying to configure 802.1x on my wireless router (877) but no luck. Here is a part of my config. Radius is on Small Business Server 2008
  aaa new-model
  aaa group server radius rad_eap
  server 172.16.1.x auth-port 1812 acct-port 1813
  aaa group server radius rad_acct
  server 172.16.1.x auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization ipmobile default group rad_pmip
  aaa accounting network acct_methods start-stop group rad_acct
  dot11 ssid xxxx
     vlan x
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa'
     mbssid guest-mode
  radius-server host 172.16.1.x auth-port 1812 acct-port 1813 key xxxx
  With this config above I go to my laptop and try to connect like to a normal wiif, I can see username/pass box. I type and it fails. But at least the router tries to go to Radius (I can see a lot of debug messages). On Radius it fails with 'IAS INVALID AUTH'. probably because the card is not set up with 802.1x
  When I remove the line 'authentication key-management wpa' I am able to configure my wirless card with 802.1x but when I try to connect, my router does not contact with Radius at all (I know it as I turned on debug for radius and dot1x)

  Hi,
  Here is the configuration example link which gived step by step procedure to complete the task.. please follow the same and let me know if this helps!!
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080608364.shtml
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra