Dynamic VLAN assignments with ACS

Similar Messages

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• 802.1x dynamic vlan assignment using ACS 4.2

  Hi
  we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
  we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
  we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
  is the above scenario doable using dot1x with the ACS server?
  waiting your replies
  Mohamed

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x Dynamic Vlan assignment using ACS

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
  Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• 802.1x dynamic VLAN assignment with Radius NPS Server

  I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
  I have followed this documentation,
  http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
  that basically says to use these Radius attributes,
  Tunnel-Medium-Type : 802
  Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
  Tunnel-Type  : VLAN
  There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
  and I have also tried that,
  cisco-avpair= "tunnel-type(#64)=VLAN(13)"
  cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
  My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
  Anybody know how to get dynamic VLAN assignment working with NPS?
  NPS on Win 2012 R2
  Domain controller separate Win 2012 R2 server
  Cisco 3550 switch

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• Dynamic vlan assignment with 1242AG and IAS not working

                     I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
  IAS and AD is running on Windows Server 2003
  Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
  PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
  Tunnel-Medium-Type > 802
  Tunnel-Pvt-Group-ID > vlanid
  Tunnel-Type > VLAN
  On the AP:
  Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
  I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
  Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

  Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
  I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
  I see I don't have that line "aaa authorization network default group rad_eap",
  So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
  Thanks,
  Jason

• Dynamic vlan assignment with single SSID

  Hi All,
  I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
  at the moment I have a single subnet for all users, there is no authentication just a click through
  page with email entry to gain access.
  The APs are assigned to groups based upon the building zone they are in, is it possible to
  assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
  TIA

  You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
  In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
  Sent from Cisco Technical Support iPhone App

• Dynamic vlan assignment with openldap

  Hi,
  I have a scenario where my customer has an ACS 5.2 and couple WLCs. the customer has also a openldap database and needs to do dynamic vlan assignement for his wireless user against this database. I know that for Active directory it works, please advise if it does as well for openldap and how?
  Regards,

  No it doesnt work if you are using mschap v2 here is a grid of the supported eap based protocols and the directory services:
  You can find this information here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1045863
  Hope this helps.

• 802.1x dynamic vlan assignment with acs5.0

  Hi All, Can any one guide me to configure 802.1x with acs 5.0. Its totally new look and m not able to find document related to 802.1x.
  Thanks

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• ACS- Dynamic VLANS for different ACS groups with AD

  Hi all,
  How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
  using ACS 3.3.
  JT

  You could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.

• VLAN Membership with ACS

  I just want to implement 802.1x authentication, to dynamically assign into differente vlans, can you help me how it should be done? What is the best method? I see the PEAP is much more complex. Initially I'm thinking about Mac-Address based, so that I create all mac-address's in ACS Server that we have, and the VLAN is assigned from there.

  Excerpt from Cisco doc:-
  7 Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco
  Secure Access Control Server Software
  The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided
  below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS
  Software and Cisco PIX? Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or
  SSID-list).
  1. Select Interface Configuration > Advanced Options; Enable ?Per-user TACACS+/RADIUS Attributes? > Click
  on ?Submit.?
  2. Select Interface Configuration > RADIUS (IETF).
  a. Enable IETF attributes 64, 65, and 81. Enable these options at both User and Group levels.
  b. Click on ?Submit.?
  3. Select Network Configuration:
  a. Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/
  PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX).
  This device is needed to enable Cisco IOS/PIX attributes.
  b. After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS
  (Cisco IOS/PIX):
  i. Enable the ?[026/009/001] cisco-av-pair? option. Enable this option at both User and Group levels.
  ii. Click on ?Submit.?
  "You want option B here"
  4. Add a User (User Setup > Add/Edit).
  a. To restrict user by VLAN-ID:
  ? Enable and set IETF 64 (Tunnel Type) to ?VLAN.?
  ? Enable and set IETF 65 (Tunnel Medium Type) to ?802.?
  ? Enable and set IETF 81 (Tunnel Private Group ID) to VLAN-ID.
  Note: Use the same Tag numbers (example: Tag 1) for all the above parameters.
  b. To restrict user by SSID (note: SSID is case-sensitive):
  ? Enable and configure Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair
  ? Example: ssid=LEAP_WEP

• ACS vlan assignments fail

  I currently have a WLC 5508 and ACS 5.1, previously the only access policy was default network access with authorization profile permit access.
  My users and machines successfully authenticate against radius via AD.
  I want to consolidate some SSID’s and use dynamic vlan assignments via radius.  I created new vlan, ssid, a service, service selection rule, and authorization profile end station filters, etc, all this works if the authorization profile is set to permit. When I add the profile with the vlan it begins failing. I have used just the vlan profile and the vlan profile and the default permit profile together in both orders.
  If I do not enable radius override on the WLC I get message saying radius overrides globally disabled.
  One I turn on overrides and use the authorization profile with the vlan I get web auth failed, radius server disabled.
  The radius server log shows could not find network resource or AAA client while accessing NAS by ip during authentication.
  What am I missing?
  Thanks,

  OK while taking screen shots and revving logs to send this moring I discovered the nas ip in the failure log. 
  On a successful login of my current operations the nas ip is the management ip of the wlc x.x.16.254
  On the failed logins with the vlan assignment the nas is the ip of the interfaced assigned to the wlan. In this case x.x.3.5
  Once I added 3.5 as an AAA client and the shared key I can successfully authenticate with my test auth profile with vlan assignment. 
  However I stay in the vlan of the wlan interface, I do not get moved to a new vlan as I should. 
  I have attached the screen shots.  Let me know if there is more info you need. 
  Thanks,