Dynamic Vlan Assigment on 2950 with acs 4.2

Similar Messages

• Dynamic VLAN-Assignment from RADIUS with Aironet 1242AG doesn't work properly

  Hello All,
  our setting is to assign VLANs dynamically from RADIUS (freeradius) to Clients connected to the 1242 Access-Points with one SSID. We have Firmware
  12.4(10b)JA/JDA on the Aironet 1242.
  The clients should be connected to one of three VLANs - one for staff, one for students and one for guests. I use the Web-Interface of
  the 1242, because I'm not very familiar with IOS cli.
  After assigning the first VLAN to the SSID -> click Accept, assigning the second VLAN to the SSID (overwriting the previous one) -> click Accept,
  assigning the third VLAN to SSID (overwriting again) -> click Accept,  the assignment of VLANs works really fine,
  (the only thing i change on the page is VLAN, the SSID is set to mandatory WPAv2)
  BUT...
  when the 1242 is rebooted (due a building power off or similar) it doesn't work anymore. Clients end up in an endless authentication loop.
  After doing the procedure again from above - assigning all VLANs sequently once, it works fine again !  till next reboot...
  All VLANs have same encryption, cypher, TKIP+AES CCM. On the Cisco-Site I found a command, which i also tried with no success:
  'aaa authorization network default group radius'.
  I also tried to save the working config and load it into the 1242 again, this also did not work.
  It seems that i'm doing something wrong, but what ?
  Thanks for some help,
  Frank

  All you really need to do is make sure the subinterfaces/vlans are created for each VLAN you need, then have radius push down IETF attributes 64, 65, and 81.

• 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

  Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

  SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

• Is dynamic VLAN assignment supported with web-authentication?

  The 7.6.130.0 WLC configuration guides says this:
  "Dynamic VLAN assignment is not supported for web authentication from a controller with Access Control Server (ACS)"
  How should we interpret this, exactly? Does this mean that dynamic VLAN assignment is supported with web authentication from a controller if some other RADIUS server is used (Eg: FreeRadius, ISE)?

  It is not supported with any kind of radius server. The radius attributes ACS uses for pushing those settings (64,65,81) are the same for every other radius implementation. Pushing a QoS profile does work.

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• ACS with Dynamic VLAN which protocol to use ??

  Hello,
  Which Protocol do I need to use, for providing dynamic VLAN to my desktop machines?
  As in ACS 4.0 if I use local database of ACS then users successfully get the dynamic VLAN & as soon I use AD database while integration it with ACS ,the authentication fails!!
  Please help.

  Hi,
  Thanks for the reply. I am using EAP-MD5.
  However, the problem is if I am using ACS solution Engine local database, users are getting dynamic VLAN after authentication.
  But when I use AD as user database, the authentication fails. Even strange thing is that if I use AD database to log in to any Cisco Router then the authentication is working fine.
  Even I am struggling with TAC also from last week in two different cases! However, they are unable to help! I found TAC has limited resource for ACS.
  So please suggest what to do as on Cisco site, I found lots of stuff for Wireless but I have only the desktops (no wireless).
  So will the mention below URL be of any help?
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
  Thanks in advance
  Vijay

• ACS + VMWare thin clients with dynamic vlans

  Good afternoon,
  I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
  Can I do this using only de ACS? Will it work?
  Thank you

  Hi,
  Dynamic Vlan assignment can be configure on the ACS.
  Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
  http://tinyurl.com/2oxg32
  If you have any doubts do not hesitate to contact me

• Dynamic VLAN assignments with ACS

  Hello all.
  I am trying to do dynamic vlan assignments with dot1x auth.  I am using ACS5.3 and Cisco 3560.
  I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
  aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
  When the user connects I get the following via debug:
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
  Any idea what config I'm missing?
  Thanks
  Paul

  Hello.
  Here is whats left in the log.
  Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.253: EAPOL pak dump rx
  Apr 30 15:19:36.253: EAPOL Version: 0x1  type: 0x0  length: 0x007B
  Apr 30 15:19:36.253: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.007b
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.278: EAPOL pak dump rx
  Apr 30 15:19:36.278: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.278: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.294: EAPOL pak dump rx
  Apr 30 15:19:36.294: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.294: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
  Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
  Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Hope that helps

• Cat 3750 with Voice VLAN and Dynamic VLANs

  Morning,
  Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
  Is a RADIUS server able to provide values to change the native vlan?
  Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
  Thanks,

  Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
  interface FastEthernet0/1
  switchport
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This is effectively the same as:
  interface FastEthernet0/1
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk native vlan 10
  switchport trunk allowed vlan 10,100
  The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
  With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
  QoS is not detailed anywhere here and that obviously plays an important role with voice.
  In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
  Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
  HTH
  Andy

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• 802.1x dynamic VLAN assignment with Radius NPS Server

  I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
  I have followed this documentation,
  http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
  that basically says to use these Radius attributes,
  Tunnel-Medium-Type : 802
  Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
  Tunnel-Type  : VLAN
  There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
  and I have also tried that,
  cisco-avpair= "tunnel-type(#64)=VLAN(13)"
  cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
  My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
  Anybody know how to get dynamic VLAN assignment working with NPS?
  NPS on Win 2012 R2
  Domain controller separate Win 2012 R2 server
  Cisco 3550 switch

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• 802.1x dynamic vlan assignment using ACS 4.2

  Hi
  we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
  we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
  we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
  is the above scenario doable using dot1x with the ACS server?
  waiting your replies
  Mohamed

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x Dynamic Vlan assignment using ACS

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
  Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Dynamic VLAN with LEAP

  Hi experts.
  I have this network:
  - 01 AP 1231
  - ACS v4.0
  I try to config dynamic VLAN with LEAP.
  SSID is WLAN map with vlan 1
  Without attribute 64,65,81, I connect this WLAN ok and users alway is connected to vlan 1.
  When I use attribute 64,65,81 and use
  attribute 64 is vlan, attribute 65 is 802
  user test1 has attribute 81 is 1
  user test2 has attribute 81 is 2,
  test1 connect WLAN successful (map to vlan 1) but test 2 can't authenticate successful with ACS Server.
  I try to follow this link ( but not use Wireless LAN Controller ):
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  help me,plz
  Thanks
  Tran Chung

  Any body help me, plz.
  I need complete this situation soon.
  Thanks