ACS with Dynamic VLAN which protocol to use ??

Similar Messages

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• 802.1x authetication with dynamic Vlan assignment by a radius server

  Hi
  At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
  When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
  I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
  What does work:
  - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
  - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
  So far so good.
  But what doesn't work:
  - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
  - I can not find the Guest VLAN.
  Any help would be appriciated.

  Hi Wouter,
  Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
  http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
  I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
  http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
  Regards,
  Aleksandra 

• Have family plan with 250 data which I almost use each month.  Going on vacation and will be on the road for two weeks.  Should I up my data for a month then change back.  Is it worth it or should I just run over and pay the extra 15 per gig?

  have family plan with 250 data which I almost use each month.  Going on vacation and will be on the road for two weeks.  Should I up my data for a month then change back.  Is it worth it or should I just run over and pay the extra 15 per gig?

  Hello mlazaretti. Vacation time is awesome. (Especially a road trip!) Since you will be going out for two weeks, you never know if having extra data may come in handy. I highly recommend switching to the next tier up so this way you have more data. This way it is only $10.00 more versus $15.00, and you dont have to worry about overages. Then change back at the start of the next billing cycle.
  If you need help making this change let us know! Have a safe trip!
  NicandroN_VZW
  Follow us on twitter @VZWSupport

• ACS + VMWare thin clients with dynamic vlans

  Good afternoon,
  I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
  Can I do this using only de ACS? Will it work?
  Thank you

  Hi,
  Dynamic Vlan assignment can be configure on the ACS.
  Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
  http://tinyurl.com/2oxg32
  If you have any doubts do not hesitate to contact me

• Hello to tuti, what must I do to import into FCE mov video converter registered with Nikon D3100, which should I use? thanks from italy monza rudy

  Hello , what must I do to import into FCE the mov video converter registered with Nikon D3100,
  the timeline of the rendering is orange (fce)
  which should I use?
  thanks from italy monza rudy

  rodolfofromconcorezzo wrote:
  Hello , what must I do to import into FCE the mov video converter registered with Nikon D3100,
  the timeline of the rendering is orange (fce)
  which should I use?
  thanks from italy monza rudy
  I do not understand the part regarding importing the Registered Video Converter!!
  Can you explain this in more detail please???
  Al

• Create Portal Page Design with Dynamic content in Moss2007(without using Visual Studio)

  Hi All,
  I am facing a issue while designing a page in MOSS 2007. I can't use custom code as the client doesn't want it to be used.
  The page is with dynamic content coming from sharepoint lists and picture library. I tried using SharePoint Listview after adding zones as per my page design..but was unsuccessful because I am unable to change its design and css styles in its xslt view.
  Plesae help me to find any alternative so that I can easily style my page with the dynamic content. Is there any way using Content editor webparts? Can we get List data in Content editor html as this can be easily styled. I googled and tried it by using javascript
  and jquery but again unsuccessful.
  Please help me with some solution.
  Thanks..!!

  I recommend your repost this in the WebLogic Portal forum.
  WebLogic Portal

• Which protocol to use when using Airport Express as a travel router?

  I plan to use my new Airport Express mainly as a travel router. When I create a network, should I configure it to use PPPoE or DHCP? Basically, when I get to hotel I'm going to hook it up to the modem...so whichever protocol hotels use is what I want to configure it for. When I configure it on my home network, where I have SBC, I have to use PPPoE; DHCP won't work. But I think hotels have DHCP servers...anyone? thanks!

  PPPoE is a protocol that allows you to log into ADSL service, most hotels have DHCP servers that will assign you an IP address, so you would select DHCP.
  Happy Traveling!

• Issue with dynamic table which has RichCommandLink and RichSparkChart

  I’m running into an issue when I create a dynamic table with columns of type RichCommandLink and RichSparkChart.
  If my table has both of these types of columns, then the RichCommandLink column behaves like a NOP, meaning clicking on it does not cause the link to take effect and does not navigate to the designated page.
  If I remove the RichSparkChart column, then the RichCommandLink column behaves properly.
  Is there something I’m supposed to be aware of when creating these types of columns? Is there a known problem with RichSparkChart column, like some exception thrown which halts proper rendering of the rest of the columns?
  Thanks,
  Ania.

  Turned out that the problem was with ids which I was dynamically assigning. There was an overlap meaning two columns/elements got the same id. Not the manifestation or behavior I would expect as a result, but once I fixed that, having these two columns side by side works well.

• Acs and Dynamic vlan assignment problem

  Hi all,
  I'm unable to dinamically pass the Radius attribute , about assigned vlan, to 802.1x clients.
  I'm sure that everything is well configured but the only way to do it is configuring these attributes directly on user or group properties.
  When i try to pass these attributes by appliction of a Shared RAC (acs 4.2) or NAP (ACS 5.0) the only message that i can find on the switch, where the vlan has to be configured, is:
  dot1x-ev:Received VLAN is No Vlan
  dot1x-ev:Received VLAN Id -1
  The user is still authenticated successfully ( and all the profiles correctly assigned) but remain in the vlan statically configured on the interface.
  The logic is working, but transmission do not.
  Is this a bug ?

  test the authentication again.If is still fails, set the logging to full on the ACS server using:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#setting_acs
  Also Check if you are running another RADIUS product on the same server as the ACS services and the same decryption was being used.Reset shared key on switch and radius server.

• WIth multiple subscriptions which does Skype use f...

  I have 3 subscriptions - unlimited world, UK 60 minutes,and Thailand 60 minutes. Skype seems to have started to use unlimited World first, even when I am phoning UK or Thailand, which means that sometimes if I want to call other countries in the world subscription I have no spare minutes left. It would make more sense if Skype used the UK subscription when I am calling the UK and the Thailand Subscription when I am calling Thailand - but this isn't what is happening. Any advice please? Thanka.

  I am about to relocate and will be calling both landlines and mobiles in Australia, so this issue also seems to affect me.
  I want to buy the "unlimited landlines Australia" or "Unlimited World" subscriptions, plus the 400 minutes "mobiles & landlines Australia" subscription so I hope that in the year since your enquiry, Skype got smarter.

• 802.1x dynamic vlan assignment using ACS 4.2

  Hi
  we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
  we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
  we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
  is the above scenario doable using dot1x with the ACS server?
  waiting your replies
  Mohamed

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x Dynamic Vlan assignment using ACS

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
  Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

  Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

  SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.