Dot1x - WLC - ACS - Windows profiling

Hello,
Does anyone have any experience with the following setup:
We want users to authenticate thru Dot1x with their Windows credentials.  The RADIUS server for dot1x will be ACS that uses Windows DC for authentication.  Then we would like for the ACS to grab a role based on DC OU, group, etc and send that back to the WLC for profiling?
Sounds crazy I know but I think it can be done with an ISE server but we don't want to buy that if we don't have to. Can this be possible with just ACS?
Thanks!

ok, we can do something with that, easily enough.
on your ACS you need to build a group for IT, in it's AAA attributes you want to return 64/65/81 VLAN/802/< vlan ID>
rinse repeat for the other groups.
On the WLC, you need to create the VLAN interfaces, and set the WLAN to have AAA override enabled.
Now when a user gets authenticated, the ACS will pass back the attributes to assign the user to the appropriate VLAN.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#Rserver1
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Similar Messages

  • PEAP- WLC- ACS- Windows AD

    We are trying to get wireless working using Active Directory. It works using the CiscoSecure local DB for users but it won't when it's pointed to AD. We have the AD set up best to out knowledge but still get an "Internal Error" in the ACS logs. Any ideas? Thx,

    Most likely permission issue. Make sure that account running acs or remote agent should have special priv on domain like act as a part of operating system and logon as server/batch.
    Regards,
    ~JG

  • Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

    I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
    1. Background:
    We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
    2. Problem:
    If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
    3. Potential solution and its limitation:
    1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
    2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
    Thanks for any suggestions!

    I think the documentation for ACS states:
    ACS can only support group mapping for users who belong to 500 or fewer Windows groups
    I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

  • Firefox closes abruptly as soon as I try to load any web page on a limited user windows profile, but works fine on my admin profile.

    I just upgraded to FF 5.0, and now I cannot use it on my kids' windows profile (closes, not crashes on loading any page), or my wife's profile (won't open at all). On my profile (an admin profile on this computer) it works just fine.
    OS: Windows 7 Ultimate 64 bit

    I have had a similar problem with my system. I just recently (within a week of this post) built a brand new desktop. I installed Windows 7 64-bit Home and had a clean install, no problems. Using IE downloaded an anti-virus program, and then, because it was the latest version, downloaded and installed Firefox 4.0. As I began to search the internet for other programs to install after about maybe 10-15 minutes my computer crashes. Blank screen (yet monitor was still receiving a signal from computer) and completely frozen (couldn't even change the caps and num lock on keyboard). I thought I perhaps forgot to reboot after an update so I did a manual reboot and it started up fine.
    When ever I got on the internet (still using firefox) it would crash after anywhere between 5-15 minutes. Since I've had good experience with FF in the past I thought it must be either the drivers or a hardware problem. So in-between crashes I updated all the drivers. Still had the same problem. Took the computer to a friend who knows more about computers than I do, made sure all the drivers were updated, same problem. We thought that it might be a hardware problem (bad video card, chipset, overheating issues, etc.), but after my friend played around with my computer for a day he found that when he didn't start FF at all it worked fine, even after watching a movie, or going through a playlist on Youtube.
    At the time of this posting I'm going to try to uninstall FF 4.0 and download and install FF 3.6.16 which is currently on my laptop and works like a dream. Hopefully that will do the trick, because I love using FF and would hate to have to switch to another browser. Hopefully Mozilla will work out the kinks with FF 4 so I can continue to use it.
    I apologize for the lengthy post. Any feedback would be appreciated, but is not necessary. I will try and post back after I try FF 3.16.6.

  • How to use the same Windows-Profile for over 700 Users?

    Dear admins,
    i´d like to use one (1!) shared windows profile to serv over 700 user-accounts in our school. But there is a little complication in the WGM.
    I just tried to check all users and entered the path of the shared profile right in the windows tab.
    For example \\Server\Profiles\oneforallprofile
    Unfortunately the WGM put the user´s shortname behind this path.
    For example: \\Server\Profiles\oneforallprofile\mistersmith
    or \\Server\Profiles\oneforallprofile\sallymiller and so on.
    By changing this preference one by one it works, but of course i need a solution to do that for all users.
    Does anyone know how to set one Profile for all students?
    Thanks for your help!
    Rolf
    XServe G5   Mac OS X (10.4.5)   Educational System Administrator

    Hello Prasad,
    Most likely the user km_admin still has system principal roles assigned, even though you removed the Super Admin role, you should check that this user doesn't have any other admin roles, otherwise it will be considered a System Principal user and will therefore still have access to all content. For more information see http://help.sap.com/saphelp_nw70/helpdata/en/19/56f28fbd4e11d5993b00508b6b8b11/frameset.htm
    Try creating a new user with just read access to the content and you should see that it will not be able to make any changes etc.
    Regards,
    Lorcan.

  • Adobe folders/files on users' windows profile

    Since the upgrade to Adobe Reader 9, we've noticed that user's windows profile size have significantly increased.  And we are consistently having to monitor our server (Windows 2003) for diskspace issues.   Normally, user's profile size is about 8MB when running Adobe Reader 8.
    Now, this folder C:\Documents and Settings\USERNAME\Local Settings\Application Data\Adobe is using 217MB for each user.
    Any ideas as to how/what/why this happen?
    Please advise.

    Hi Maria,
    Please seek help from Backup forum, where experts responds to your query soon. 
    or else wait until any of our moderator move this post to respective forum.
    Thank you for understanding.
    Regards, Ravikumar P

  • ITunes in Multiple Windows Profiles using same library files.

    I am running Windows Vista Ultimate with iTunes 7.1.1.5.
    I have two windows users created on the machine and I have my iTunes library files installed to c:\iTunes both user accounts see the music just fine. The issue that I am having is when I attempt to purchase music from the iTunes store. iTunes in each windows profile will purchase music and download it, add it to the purchased playlist. The issue is that the other windows profile cannot see this purchased music. I have verified that the downloaded music was in the c:\itunes folder, but each windows profile seems to have a different purchased playlist.
    Is there some secret to having two windows profiles on the same computer use the same iTunes library?
    Thanks
    ~Shane
      Other OS  

    Anything downloaded for the library of one profile must be added to the other profile by hand. iTunes does not support doing this automatically, no folder watching feature like other clients have.
    iTunes library files are the itunes.itl and itunes.xml file within the iTunes folder for each user.
    A good reason for this is podcast subscriptions. Each user can be subscribed to the same podcast. Downloads will be duplicated but this allows one user to delete episode without affecting the other user.

  • Can I have multiple libraries under different Windows profiles/logins?

    My brother and I currently share the same Windows Vista computer. In a few months we'll separate as he moves on to an iMac, but for now if he wanted to setup under his own Windows profile/login another iTunes library can he? One obviously where he'd login under his own Apple Id and containing his own iTunes music library including only his purchases from the iTunes Store. Can this be done and done easily?

    Yes of course. If your HD has space, make a complete copy of the entire library under his new login. Then, you can each delete stuff you don't want. From that point on, you can manage your own libraries independently.
    When the time comes, he can copy "his" library to his new computer.

  • Folder Redirection policy is not applied to a user, when the server target is changed, but works after resetting the windows profile.

    Folder Redirection policy is not applied to a user, when the server target is changed. 
    After server target is changed via group policy, when user login  (roaming profile)first time, the the new server target has not been applied, instead it's pointing to the old folder redirection path.
    But if we reset the windows profile (roaming ), the new folder redirection works, can you please specify a solutions that the new folder redirection works when the user login for the first time. so it reduce the time on resetting users profile.
    it seems that we need to delete the old folder redirection path from the user profile (roaming user profile) via group policy or similar solutions..
    Many Thanks

    >   But when the specific users login they all get the same error, it
    Is the old server removed from the domain? Seems so - or some other
    authentication related issue, hard to tell from here...
    > seems that the roaming user profiles still keeps the old server details,
    Yes - if you change redirection targets, FR moves content from old to
    new, and only if this ends sucessfully, it will update the redirection
    target.
    Make the old redirection target accessible to the user and you'll be fine.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Outlook prompts creds after migration, unless new windows profile created

    HI!
    Outlook keeps prompting credentials after migration for some users. When we create new windows profile for this user, all going well. Autodiscover in browser also keeps prompting for password.
    I checked credential manager (there are no passwords stored), also tried new outlook profile (no help).
    Any ideas?

    2010 SP2 migrated to 2010 SP3. We already tried changing authentications. The problem occurs for random users (not all users). Auth settings on autodiscover virtual directory: Anonymous, Windows, Basic. Auth on exchange (get-autodiscovervirtualdirectory):
    Basic, NTLM, WindowsINtegrated.
    Also i did not mention early - the problem obviously with autodiscover. I can't get autodiscover.xml using browser (keeps prompting for credentials). From another winows profile on the same computer with the same mailbox all going well. So I don't understand
    where should I look to.

  • About a month ago I recreated my windows profile, since then getting any apple software to work has been impossible.

    About a month ago I recreated my windows profile, since then getting any apple software to work has been impossible. Is there a cleaner for this stuff?

    Yes, it makes this noise, but only on startup.  It is normal to hear this noise during startup.  My mac is an early 2011 model.

  • Database from ACS windows 3.0 to appliance 3.3.2.2

    I have ACS 3.0 for windows and bought 2 ACS appliances to replace the windows ACS. Is it possible to load ACS windows 3.0 config to ACS appliance 3.3.2.2

    Yes. Backup the ACS 3.0 configuration, copy the file to an FTP server then restore it on the appliance.
    If the restore fails you may need to upgrade to ACS 3.3 then backup and restore.

  • New Windows profile broke Palm Desktop & Lifedrive Mgr.

    I use my Windows PC at work as my primary PC for synchronizing my Lifedrive.  Recently my windows profile got corrupted somehow, so the IT support guy at work had to create a new Windows profile for me and to try and copy over as much data as he could from my old profile files.  Many of my applications now treat me as a first-time user, so I have to reestablish preferences, etc., but the Palm Desktop (PD) and Lifedrive Manager (LM) won't work at all.
    When I first tried to launch the PD, it prompted me to select a user, but it the pick-list was empty.  The same was true if I tried to select a profile.  I tried creating a new profile and a new user in that profile (using a different username than I had previously), but when I went on to try and start the PD, I got an error box with the message: "Error: Invalid configuration.  Terminating the Palm Desktop."
    Similarly, when I connected my LD by USB and launched the LM application, it told me "Failed to start PalmOneRemoteLibrary initialization" and exited.
    I suppose I could just re-install both applications, but I'm worried that I might blow away my old files under "Program Files\Palm\."  
    Any suggestions?
    thanks, Bruce
    Post relates to: LifeDrive

    You are probably going to have to uninstall and reinstall everything on the new profile, to preserve your data just copy your user folder which is located in the palm folder onto your desktop.
    After you uninstall everything and reinstall, launch palm desktop and create the exact same username, after that copy the folder from your desktop back into your Palm folder and all of your data should come back.
    Post relates to: Centro (Sprint)

  • Windows Profile size and AIR?

    Hello,
    I have been trying to install TweetDeck and it uses Adobe AIR, when I do though my Windows Profile size becomes to big and I get an error.  We currently limit our user profile sizes.
    Is there a way I can change where files from AIR are stored so that they are not stored in the profile area, and just to the C:\ instead?
    Using Windows XP.
    thanks.

    This sounds like an option that TweetDeck could implement on their side.  I haven't tried this myself, but here's a Windows tweek for changing the location of appdata via the registry.
    Change the default location of the "Application Data" folder
    Hope this helps,
    Chris

  • New WIndows Profile, no iTunes playlists or ratings!

    Howdy,
    I just created a new windows profile for myself and basically copied over all of the contents of my old profile. Now when I go into iTunes, my ratings are gone and my playlists. Also I'm worried that plugging in my iPod will lose the songs on my ipod (all selected from playlists). How do I get it back?
    Thanks!
    David Lozzi
      Windows XP Pro  

    yeah, i moved my my documents to the new profile... This XML doc is stored in my docs\my music\itunes right? or is there another. If this is the case, looks like i'm out of luck.... BOOOOOO APPLE I've got 1759 songs with about 80% of them rated not anymore...

Maybe you are looking for

  • Struggling to get a signal from my Midi Keyboard

    I have Logic Pro X and a couple of weeks ago managed to successfully connect up by Korg Workstation to act as a Midi Keyboard so that I could access the library and play the sounds in real time  through the keyboard. I have just moved my studio to a

  • After-Market / Fake Products (Headsets)

    My iphone is already here: it's the e61. I don't think this device, rightly lauded everywhere else, gets enough praise in the U.S. But it needs a companion. In December, I started to look for a bluetooth headset. I narrowed my search to Nokia BH-800

  • Custom filters for importing files

    how can I get LR 5 to filter files by size on import or in a collection?  ie exclude anything under 1 mb

  • Aurora 27.0a2 (2013-11-15) ModernUI - SYNC´ed bookmarks are not visible

    Using ModernUI in Win 8.1 with SYNC seems to work on hand: Typing in keywords associated to URLs displays the right SYNC´ed URLs. But the bookmarks are not displayed. In desktop mode the SYNC runs properly in all aspects. How can I enable the visibil

  • Safari, Proxy Authentication, and Certificate Authorities ( for https )

    A recent update to Safari has caused it to not work with our proxy authentication.  It will not provide authentication details when looking up SSL certificate authorities, causing certificate errors on all https:// websites. All other traffic (http,