VLAN to ACs mapping

I would like to know if it is possible to do the following:
Let users in VLAN A authenticate to ACS A and users in VLAN B authenticate to ACS B.
Any comments welcome.
Regards
Dean

you may find answer on this link:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns75/c685/ccmigration_09186a0080259047.pdf
rate this post if it helps
regards
Devang

Similar Messages

  • ACS Mapping Group @ Trust-Tree (Domain Trust)

    Dears,
    Could ACS mapping group @ AD Domain trust??
    I install abc.com / qqq.com and trust other!
    My ACS install in abc.com domain, but I cannot get qqq.com user information?
    ^ ^
    消息编辑者为:mr.marslin

    The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a CiscoSecure ACS group for assigning authorization profiles. For external user databases from which CiscoSecure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific CiscoSecure ACS groups
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4f.html#wp712817

  • Dynamic VLAN using ACS

    Anyone has experience for Deploy Vlan Dynamic using ACS 4.1
    What step by step i must configured in ACS, and how when Certicate Authority using CA Microsoft.

    Please check these links,
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
    http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    Let me know if you are looking for anything specific.
    Regards,
    ~JG
    Do rate helpful posts

  • ACS mapping "Command Sets" to groups

    Hi
    I created "Shell Command Authorization Sets" under ACS 4.1.
    I use Radius (IETF). How do I map the "Shell Command Authorization Sets" to user groups???
    Thanx for help
    bb

    Shell command Authorization/Command authorization is a feature of TACACS+ not RADIUS
    It wont work with Radius. It only works for TACACS+
    Please see one config example attached.
    Regards,
    Prem

  • VLANs per ACS server

    Hi,
    I would like to know if the following scenario is possible:
    Let users in VLAN A authenticate to ACS A and users in VLAN B authenticate to ACS B.
    Any comments welcome.
    Regards
    Dean

    Alternatively, why not have one AAA and make that assign vlan based on some criteria. If a user is already on the network (in a vlan) isnt it a bit late to authenticate?
    ACS v4.0 would allow you two select RADIUS profiles based on user group membership AND (for example) the device or any other attribute in the access request.
    Darran

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • 802.1x dynamic vlan assignment using ACS 4.2

    Hi
    we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
    we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
    we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
    is the above scenario doable using dot1x with the ACS server?
    waiting your replies
    Mohamed

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each
    user should be able to connect and roam around between any building.
    when ever a user is connecting his laptop to any floor, he should be
    made part of that respective vlan. It is not requred to have the same
    IP rage to be allocated, but the dynamic VLAN should be based on the
    switch port location.
    Can
    I configure ACS in such a way that, the ACS will allocate dynamic VLAN
    for every 802.1x authentication  based on the Network Device Group.
    Please refer the attached diagram
    Hi,
    Check out the below link for your requirement for dynamic vlan assignement using ACS
    http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • 802.1x Dynamic Vlan assignment using ACS

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
    Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

    Hi,
    I have the following scenario
    2 bulidings with multiple floor
    Each floor should be in different VLAN.
    The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
    Each
    user should be able to connect and roam around between any building.
    when ever a user is connecting his laptop to any floor, he should be
    made part of that respective vlan. It is not requred to have the same
    IP rage to be allocated, but the dynamic VLAN should be based on the
    switch port location.
    Can
    I configure ACS in such a way that, the ACS will allocate dynamic VLAN
    for every 802.1x authentication  based on the Network Device Group.
    Please refer the attached diagram
    Hi,
    Check out the below link for your requirement for dynamic vlan assignement using ACS
    http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    Hope to Help !!
    Ganesh.H
    Remember to rate the helpful post

  • Map 300 different VLANs to a SSID?

    Hi Everyone,
    I've just come across a situation where the customer requires to have their 300 different VLANs (they got 300 stores across AU) to be mapped to the same SSID. I know this is doable by creating an interface group on the WLC that contains all 300 VLAN interfaces, then map the interface group to the SSID. However, is there a better way to do it? I meant I don't think creating 300 interfaces on the WLC is a good idea from a managment point of view.
    Thanks you in advanced for your time and for sharing your wisdom.
    Regards,
    Nhan.

    Hi Nhan,
    This post in Small Business Forum and you need to address this in Enterprise Level Forum.
    Thank you.

  • Machine MAC authentication by ACS

    Hi,
    I have 1 AP 1240 & ACS 4.1 Solution Engine.
    I want to authenticate internal users by their MAC addresses (that is created into ACS database) after selecting appropriate SSID from the AP.
    Let me give you an idea of the setup & config:
    I have a DHCP server in the network from where users will get IP addresses.
    I have created 2 VLAN's in the switch & made the port as "Trunk" that is connected with AP. VLAN 1 as native VLAN (AP & ACS is asigned ip addresses of native vlan range) & VLAN 2 for Internal Users.
    Radio interfaces are mapped to the VLAN id & SSID is mapped with VLAn as well in AP.
    MAC addresses are confiured into ACS (without any space, comma, special character..the mac addreses are put manually in the ACS to avoid the generation of any phantom character).
    The problem is "USers are not getting IP addreses from the dhcp pool created in the switch" after selecting the SSID.
    Please ry to help me out in this...

    You can try to disable aironet extensions & enable the SSID as guest mode SSID. Also, try to change the datarates to enable. Else, configure MAC authentication and disable SSID as guest mode SSID.

  • 802.1x - ACS authentication issue.....

    I will attempt to explain the history of our wireless controller configurations as best I can.  We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance.  All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together.  The ACS is setup to map to AD for specific groups. 
      In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to.  Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks.  The reason for this is those ip networks can reach certain services that are not allowed for general users.  ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
    Problem 1.  When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
    Problem 2.  Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not.  Upon further investigation it was discovered that the reason they are not is that the authentication is not correct.  When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username .  So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
    Please help.  I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.

    Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
      The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
      I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
      As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

  • 802.1x Machine and User Auth Vlan assignments

    I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
    Here is how it's working now:
    1. Machine authenticates to ACS and assigned to a Vlan
    2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
    So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
    So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

    By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
    As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
    Note: A good way to troubleshoot this is to notice it in action via show command:
    Here's an example of what you should see on a switch port.
    AuthSM State = State of the 802.1X Authenticator PAE state machine
    VALUES:
    AUTHENTICATED -- Auth Succeeded
    AUTHENTICATING -- Auth is attempting
    CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
    HELD -- Auth probably failed.
    BendSM State = State of the 802.1X back-end authentication state machine
    VALUES:
    IDLE -- Nothing is happening.
    REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
    RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
    NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
    Hope this helps,

  • Puzzling SSID/VLAN behavior

    AP: 1131 12.3(7)JA3
    Four VLANS, three mapped to SSIDs all on B/G radio only, A radio shutdown.
    170 native, no SSID
    110 guest internet only SSID w/DHCP from BBSM. Open Auth
    180 secure intranet SSID w/DHCP. WPA2
    810 another secure separate intranet SSID, no DHCP. Client IPs managed manually. WPA2
    This is the first time I've tried setting up an SSID to a VLAN with no DHCP.
    When users connect to the 810 SSID, "show dot11 assoc all" shows them connected to vlan 180, not 810.
    This happens both when they use static IP assignments and DHCP.
    When I remove vlan/SSID 180 from the B/G radio and move it to the A radio, 810 users show up on vlan 810 as they should.
    FWIW, VLAN 810 gets mapped to bridge group 255, unlike all the oter SSIDs which get mapped to bridge groups of the same number, eg. vlan 180 - bridge-group 180.
    Anybody seen this or have any idea why this happens?
    Thanks,
    Mark

    >When you see clients associated to the 180 SSID even though they connect to 810, do they actually go in VLAN 180 or VLAN 810 (based on their IP address)? Are they able to communicate on through this connection?
    The clients are configured to go onto the vlan 810 SSID. In "show dot11 assoc all" they show up on vlan 180. When the client is configured for DHCP it gets a vlan 180 IP.
    When the IP is configured manually it has a vlan 810 IP but still shows up as associated to vlan 180. They are able to communicate somewhat with either IP.
    >How similar are your security settings on the two SSIDs, 180 and 810?
    Identical. Authentication is handled by ACS which queries AD. There may be a vlan setting in the ACS group mapping influencing this too. I need to dig into that further too.
    >which is the BSSID?
    BSSID is probably 180, as that's our standard internal SSID and I configured it first.
    >Are you using MBSSID?
    I have not configured MBSSID and have been wondering if I need to. I don't know enough about how it works yet. I don't want either of these SSIDs broadcast.
    Good questions.
    Thanks,
    Mark

  • Scale 802.1X ACS in High Security Mode any Idea's?

    Scenario
    Platform ACS V 5.1.0.44
    Switch 4510R with 8 48 port modules (384 ports)
    802.1x authentication of the ports in High Security Mode (VLAN assignments required)
    Authentication Method Cert based eap-tls to machine
    we currently have 4 Data Vlans that users and assets drop into on this switch
    How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?
    I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.

    Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's
    and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)
    12.2(52)SE
    IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.
    12.2(52)SE
    3750-E, 3560-E
    But then you get bit with even using VLAN assignments on large stacks
    •When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.
    The workaround is not use the VLAN assignment option. (CSCse22791)

  • ACE: 4710 Policy-Map NAT

    Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.
    My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?
    policy-map multi-match PM_Loadbalance
      class VIP_Farm
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 7 vlan 7
        nat dynamic 741 vlan 741
    Thanks,
    -b

    Hello Brian-
    You can apply 2 different NAT statements, yes.
    The way it works:
    1.)  A client sends a SYN into a vlan where the vip is applied as a service-policy input.
    2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.
    3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.
    4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement.  This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.
    i.e.
    rserver host server_1
    ip address 10.0.0.10
    inservice
    rserver host server_2
    ip address 172.16.35.60
    inservice
    serverfarm host SF_1
    rserver server_1
      inservice
    class-map match-any VIP_80
    2 match virtual-address 172.16.35.80 tcp eq 80
    policy map type loadbalance first-match LB
    class class-default
      serverfarm SF_1
    policy map multi-match X
    class VIP_80
      loadbalance policy LB
      loadbalance vip inservice
      nat dynamic 5 vlan 7
      nat dynamic 7 vlan 741
    interface vlan 7
    ip address 172.16.35.2 255.255.255.0
    nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat
    service-policy input X
    Interface vlan 741
    ip address 10.0.0.2 255.255.255.0
    nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat
    service-policy input X
    If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60.  If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741.  If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.
    Regards,
    Chris Higgins

Maybe you are looking for

  • Calculations not working in Reader Enabled PDF Form

    I created a basic Excel spreadsheet and imported it into Acrobat 11 to make a fillable form. Acrobat inserted most of the fields but I had to add some to complete the form. I went into the properties of the fields and set up the calculations using th

  • Template with php script, white space around background, locking layers

    two questions for 2 sites: 1.) first site http://www.beckervanhoveln.com I can't get my background to line up correctly; there is a giant white border around the whole thing. With the amount of extra space around the background on all sides, I think

  • D-Link DI-604 or Netgear RP614V2 ???

    hi. im going to buy a router and want end user comments on these 2. D-Link DI-604 Netgear RP614V2 they are both priced similar and is the only 2 i am interested in or else i would have to buy online and dont want that. also want to know if any of the

  • Need FM to get Last change date of Objects in package

    Hi All,   Is there any Function module to get Last changed date of all Objects in a package .   How to get the last change date of class,methods,function module.....   I can get last change date of programs from TRDIR....UDAT....Similarly how can I g

  • Canon Optura 50 capture won't connect

    I have new Canon Optura 50; great camcorder, BUT my Mac will not connect/see it via 1394 in any application (FC HD/iMovie/istopmotion). I know it's not a cable etc. issue, since it sees my junker ZR10 just fine. DV setting is set to "Basic". Please h