Using ACS for VLAN assignment

Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
Thanks for any help...
Kelvin

Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
ip access-list extended guest
permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
deny ip any any
Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

Similar Messages

  • Using ACS for command authorization

    I've setup my ASA for this and it works as it should, the restricted user can only run the commands I put into the command set in ACS.
    However this is fine on telnet/SSH but when using ASDM the restricted account has level 15 access and is able to change things.
    Can you use ACS to give a view only account on an ASA when using ASDM?

    thanks for the reply, I actually resolved it by watching the logs and seeing what ASDM needed, in the end had to add permit to the session command and also permit write net
    this worked and gives the restricted user view only access to the config etc and also view only in ASDM.

  • "Always use pressure for size" - assign keyboard shortcut?

    Is there a way to assign a keyboard shortcut to the "always use pressure for size" toggle on/off button that sits in the brush toolbar? 
    It would speed up masking with a wacom quite a bit where you want to use shift-clicking to draw straight lines between points (where you really need the pen pressure controling brush size turned off) and then back to masking around detail areas where you need the pressure turned back on.  I seem to recall Julieanne Kost saying this was possible at some point back when CS5 was launched, but I've never found it and can't find it in CS6 either.

    Hi Brett, thanks for the reply.
    Yeah, that would be amazing if it could be added to the big list you guys must have for JDI requests... I'll add it to the feedback.photoshop.com feature requests list as well.
    Cheers!

  • Using ACS for change control

    I'd like to set up ACS server (integrated with Windows Active Directory) for router and switch so that all network administrator could use their active directory account to access network devices… and all activities will be logged on to ACS server. Currently we are sharing local administrative(on router and switch) account and I don’t have the visibility of who is doing what. The idea is to have more tight change control.
    I'd like to have security group set up in Active Directory and have all the network admins within, and have them to use their network account to log into routers and switches. Is this possible?

    Thank you, in that case I have some more questions(if you don't mind) to ask about your instruction.
    1. I only have RADIUS server(ACS 3.3). Do I need to purchase additional TACACS+ to accomplish this? or you just want me to add additional TACACS+/RADIUS attributes enabled per user?
    2. Is it possible to map 'Security Group' object instead of individual user?
    3. Please send me a sample CLI configuration for router(or switch).
    Thank you very much for your help.

  • Using ACS for Cisco Prime authentication

    I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
    Any pointers?

    The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
    Administration > AAA > TACACS+ Servers > add tacacs server.
    Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
    The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
    "Configuring ACS 4.x"
    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
    https://supportforums.cisco.com/docs/DOC-17909
    In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
    Jatin Katyal
    - Do rate helpful posts -

  • Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

    I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
    1. Background:
    We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
    2. Problem:
    If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
    3. Potential solution and its limitation:
    1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
    2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
    Thanks for any suggestions!

    I think the documentation for ACS states:
    ACS can only support group mapping for users who belong to 500 or fewer Windows groups
    I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

  • Tandberg MXP 6000 Portable and VLAN assignment

    Hello,
    We have a couple of Tandberg MXP 6000 portable VC units that we'd like to be a bit more "portable".  At present any time someone wants to move the unit to a new location we have to configure a switch port as an access port for our voice/video vlan, obviously because these VC devices do not support CDP for vlan assignment.  I can see no way in the settings to tell the unit which vlan to use.
    Ideally I'd like the users to be able to plug these into any wall jack and have the unit assigned the correct vlan, for QoS purposes.  We've tried having the unit move around with its own 8-port switch but anywhere these get plugged in, spanning tree blocks the port because portfast is enabled on the majority of our generic data jacks.
    Is LLDP a possibility here?  If so how would I go about configuring this?
    Does anyone have any other solutions?

    You can download it from either of the two locations:
    Cisco website
    TANDBERG FTP
    Also, if you're upgrading from F8 or below, you can contact TAC and point them to this security advisory, with it, you can get the MXP F9.3.1 software for free without the need of a service contract.
    You will need a release key if you're going from one major version to another, ex: F8 or below to F9.  Minor versions don't require a release key, ex: F9.1 to F9.3.1.
    Instructions on how to upgrade an MXP codec can be found in the Admin Guide, on pg 141.

  • ACS for Windows vs ACS Appliance?

    First, the only thing I saw on the Appliance was that it was a 'hardened OS'. So I'm assuming like many of their other appliances that this is Windows 2003 locked down? Regardless if it is or not, are there any issues with the appliance being in a mixed environment with ACS for Windows and replication between the two?
    Thanks,
    Raun

    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawo.html
    When you use ACS for Windows, you install it on a member server, which can "relay" the auth requests to the domain controllers.
    ACS SE's are not a member in the domain, therefore you need to install the remote agent on a member/DC, so that it would act as a "relay agent" for the auth requests.
    You'll also need to manually create a workstation account in AD to allow auth requests from the ACS SE's.
    The default name used is "CISCO", but it can be defined differently.
    For this part, see
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476

  • 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

    Currently Being Moderated
    802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
    Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
    If possible show:
    1. ACS/Radius Configurations.
    2. End User Switch Configurations
    Variables:
    Switch A
    MAC Address aaaa.bbbb.cccc     Vlan 10
                bbbb.cccc.dddd     Vlan 20
    Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
    Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
    Thanks in advance. .

    Hi Guys,
        Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
       So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
       Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
        Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
        If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • 802.1x dynamic vlan assignment using ACS 4.2

    Hi
    we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
    we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
    we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
    is the above scenario doable using dot1x with the ACS server?
    waiting your replies
    Mohamed

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each
    user should be able to connect and roam around between any building.
    when ever a user is connecting his laptop to any floor, he should be
    made part of that respective vlan. It is not requred to have the same
    IP rage to be allocated, but the dynamic VLAN should be based on the
    switch port location.
    Can
    I configure ACS in such a way that, the ACS will allocate dynamic VLAN
    for every 802.1x authentication  based on the Network Device Group.
    Please refer the attached diagram
    Hi,
    Check out the below link for your requirement for dynamic vlan assignement using ACS
    http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • 802.1x Dynamic Vlan assignment using ACS

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
    Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each
    user should be able to connect and roam around between any building.
    when ever a user is connecting his laptop to any floor, he should be
    made part of that respective vlan. It is not requred to have the same
    IP rage to be allocated, but the dynamic VLAN should be based on the
    switch port location.
    Can
    I configure ACS in such a way that, the ACS will allocate dynamic VLAN
    for every 802.1x authentication  based on the Network Device Group.
    Please refer the attached diagram
    Hi,
    Check out the below link for your requirement for dynamic vlan assignement using ACS
    http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • VLAN assignment from ACS not applied

    WLC 4402 5.2.157.0
    ACS Express 5.0.0.18
    We have an issue where the VLAN assigned on the ACS isn't applied on the 4402 WLC.
    We have 'Allow AAA Override' checked on the WLAN, the QoS is overridden to bronze properly, but the VLAN stays at 0 and the interface at management. The VLAN interface is configured on the WLC.
    On the ACS the following are configured for the RADIUS response:
    Radius-IETF Tunnel-Medium-Type 802
    Radius-IETF Tunnel-Type VLAN
    Radius-IETF Tunnel-Private-Group-ID 44
    Cisco Airespace Airespace-QoS-Level Bronze
    The accounting log shows:
    Wed, 04 Feb 2009 09:50:02
    User-Name = guest
    NAS-IP-Address = 10.30.1.2
    NAS-Port = 1
    Framed-IP-Address = 10.30.1.12
    Called-Station-Id = 10.30.1.2
    Calling-Station-Id = 10.30.1.12
    NAS-Identifier = Cisco4402WLC
    Acct-Status-Type = Start
    Acct-Session-Id = 4989b927/00:1a:73:ed:bf:ca/2
    Acct-Authentic = RADIUS
    Airespace-WLAN-Id = 2
    Thanks for any help or advice you can provide to troubleshoot this issue.
    -Brian

    From the Clients -> Details screen on the WLC...
    CLIENT PROPERTIES
    MAC Address 00:1a:73:ed:bf:ca
    IP Address 10.30.1.12
    Client Type Regular
    User Name guest
    Port Number 1
    Interface management
    VLAN ID 0
    CCX Version CCXv4
    E2E Version Not Supported
    Mobility Role Local
    Mobility Peer IP Address N/A
    Policy Manager State RUN
    Mirror Mode Disable
    Management Frame Protection No
    SECURITY INFORMATION
    Security Policy Completed Yes
    Policy Type N/A
    Encryption Cipher None
    EAP Type N/A
    NAC State Access
    QUALITY OF SERVICE PROPERTIES
    WMM State Enabled
    U-APSD Support Disabled
    QoS Level Bronze
    Diff Serv Code Point (DSCP) disabled
    802.1p Tag disabled
    Average Data Rate disabled
    Average Real-Time Rate disabled
    Burst Data Rate disabled
    Burst Real-Time Rate disabled

  • Using Active Directory and ACS for Concentrator 3000 VPN

    Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
    Below is my understanding, I appeciate any help to piece some or all the below together
    (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
    (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
    (3) Concentrator is the NAS, and ACS is the RADIUS server
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
    (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
    (5) A single "Tunnel Group" is created on the concentrator
    (6) Mulpile Groups, per corporate infosec policies are created on the AD
    (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
    TIA.

    In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
    When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
    Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
    We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
    Now go to access-policies > default-network access > identity should be AD1.
    Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
    After that slect the appropriate ad group for teachers and end-station filter.
    Save changes.
    Jatin Katyal
    - Do rate helpful posts -

  • Dynamic VLAN using ACS

    Anyone has experience for Deploy Vlan Dynamic using ACS 4.1
    What step by step i must configured in ACS, and how when Certicate Authority using CA Microsoft.

    Please check these links,
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
    http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    Let me know if you are looking for anything specific.
    Regards,
    ~JG
    Do rate helpful posts

Maybe you are looking for