Dynamic VLAN using ACS

Similar Messages

• Configure the dynamic vlan using packet tracer

  How can i configure the dynamic vlan using packet tracer?
  Posted by WebUser Amienudin Alam Syah Husein from Cisco Support Community App

  I guess this forum platform has been misconfigured, questions coming from the mysterious Web User on various R&S topics keep ending up here.
  Let's flood their forum with some tricky CC related questions, in return!
  Sent from Cisco Technical Support iPad App

• 802.1x dynamic vlan assignment using ACS 4.2

  Hi
  we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
  we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
  we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
  is the above scenario doable using dot1x with the ACS server?
  waiting your replies
  Mohamed

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x Dynamic Vlan assignment using ACS

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
  Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• ACS with Dynamic VLAN which protocol to use ??

  Hello,
  Which Protocol do I need to use, for providing dynamic VLAN to my desktop machines?
  As in ACS 4.0 if I use local database of ACS then users successfully get the dynamic VLAN & as soon I use AD database while integration it with ACS ,the authentication fails!!
  Please help.

  Hi,
  Thanks for the reply. I am using EAP-MD5.
  However, the problem is if I am using ACS solution Engine local database, users are getting dynamic VLAN after authentication.
  But when I use AD as user database, the authentication fails. Even strange thing is that if I use AD database to log in to any Cisco Router then the authentication is working fine.
  Even I am struggling with TAC also from last week in two different cases! However, they are unable to help! I found TAC has limited resource for ACS.
  So please suggest what to do as on Cisco site, I found lots of stuff for Wireless but I have only the desktops (no wireless).
  So will the mention below URL be of any help?
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
  Thanks in advance
  Vijay

• Dynamic VLAN/SSID assignment using 4402/MS IAS

  Greetings,
  In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
  This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
  We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
  Any input/information would be greatly appreciated.
  Joe

  Shaun,
  My LAG - etherchannel interface
  interface Port-channel8
  description WLC-portchannel
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  end
  My 2 WLC Fiber ports:
  Current configuration : 382 bytes
  interface GigabitEthernet7/47
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  2200-3A#sh run int g7/48
  Building configuration...
  Current configuration : 382 bytes
  interface GigabitEthernet7/48
  description CiscoWLC-LAG-Ports
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,24-26
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree bpdufilter enable
  channel-group 8 mode on
  end
  I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
  One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
  interface FastEthernet4/48
  description AP-PoE
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1-1004
  switchport mode trunk
  service-policy output autoqos-voip-policy
  qos trust cos
  auto qos voip trust
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  end
  Jim

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• Dynamic Vlan Assigment on 2950 with acs 4.2

  Hello to everyone
  We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
  On the ACS we configured the following attributes for the specific group
  64 = VLAN
  65 = 802
  81 = VLAN Name
  We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
  In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
  Before we configured the switch to speak with ACS:
  aaa new-model
  aaa group server radius Switch
                                 server 172.16.0.93 auth-port 1812 acct-port 1813
  dot1x system-auth-control
                  radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
  radius-server retransmit 3
  Configured the ports for the use of dot1.x.
  switchport mode access
                 dot1x port-control auto
                 dot1x guest-vlan 7
                 spanning-tree portfast
  The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
  We tried to debug with the debug dot1.x events command and we get the following errors:
  Feb 16 12:00:04.017:         Attribute 64 6 0100000D
  Feb 16 12:00:04.017:         Attribute 65 6 01000006
  Feb 16 12:00:04.017:         Attribute 81 4 01360806
  Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
  Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
  Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
  Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
  Does anyone know what we could have missed?
  Thank’s

  solved
  It was just missing the command
  aaa authorization network default group XXXX

• ACS + VMWare thin clients with dynamic vlans

  Good afternoon,
  I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
  Can I do this using only de ACS? Will it work?
  Thank you

  Hi,
  Dynamic Vlan assignment can be configure on the ACS.
  Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
  http://tinyurl.com/2oxg32
  If you have any doubts do not hesitate to contact me

• Dynamic Maping to ACS groups using OU instead of NT group

  Is there a way to us the Microsoft AD OU groups instead of using the old NT groups to dynamically mapping users to the ACS groups? We are using ACS server at vers 3.2 as well as some test server on 3.3.

  Cisco Secure ACS for Windows Servers 3.2 only supports two versions of the Windows 2000 operating system
  1)Windows 2000 Server, with Service Pack 3 or Service Pack 4 installed
  2)Windows 2000 Advanced Server, with the following conditions:
  with Service Pack 3 or Service Pack 4 installed
  without Microsoft clustering service installed
  without other features specific to Windows 2000 Advanced Server enabled

• Dynamic VLAN assignments with ACS

  Hello all.
  I am trying to do dynamic vlan assignments with dot1x auth.  I am using ACS5.3 and Cisco 3560.
  I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
  aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
  When the user connects I get the following via debug:
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
  Any idea what config I'm missing?
  Thanks
  Paul

  Hello.
  Here is whats left in the log.
  Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.253: EAPOL pak dump rx
  Apr 30 15:19:36.253: EAPOL Version: 0x1  type: 0x0  length: 0x007B
  Apr 30 15:19:36.253: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.007b
  Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.278: EAPOL pak dump rx
  Apr 30 15:19:36.278: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.278: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
  Apr 30 15:19:36.294: EAPOL pak dump rx
  Apr 30 15:19:36.294: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Apr 30 15:19:36.294: dot1x-ev:
  dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                      pae-ether-type = 888e.0100.002b
  Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
  Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
  Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
  Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
  Hope that helps

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• ACS- Dynamic VLANS for different ACS groups with AD

  Hi all,
  How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
  using ACS 3.3.
  JT

  You could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.

• Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

  I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
  1. Background:
  We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
  2. Problem:
  If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
  3. Potential solution and its limitation:
  1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
  2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
  Thanks for any suggestions!

  I think the documentation for ACS states:
  ACS can only support group mapping for users who belong to 500 or fewer Windows groups
  I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.