https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681808#M232550 <HTML><HEAD></HEAD><BODY><P>Looks like we need some clarity from the scenario, based on the&nbsp; command which is now considered as the "guest vlan" authentication event no response authorize vlan xxx, the acs (assuming a true guest vlan scenario and that mab is disabled) is no longer in the picture and&nbsp; the port authorizes the client based on this command.</P><P></P><P>I agree Nicolas we need to see exactly the issue is,&nbsp; but I am sure we can both agree that there will be some additonal access&nbsp; policies to configure since there are different guest vlans based on&nbsp; which switches the clients are coming in from.</P><P></P><P>thanks,</P></BODY></HTML> Mon, 18 Jul 2011 08:20:51 GMT Tarik Admani 2011-07-18T08:20:51Z https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681805#M232547 <P>Hi,</P><P></P><P>is it possible to set the dot1x guest-vlan on a Catalyst Switch via ACS 5.2 dynamicly.</P><P></P><P>I want to make MAB with known Devices (FAT-Clients, Notebooks,&nbsp; Desktops, Printers) and unknown Devices.</P><P>I will set the VLAN dynamicly with dot1x per ACS. For known FAT-Clients, Notebooks etc. it's running well.</P><P></P><P>But for Printers it's more difficult because I have about 500 Printers in several IP-Segments on several Switches</P><P>and I will not make to much Rules in ACS for Grouping, Mapping and Authority-Rules.</P><P></P><P>My Idea is to set the Guest-VLAN on every Switch, read them with ACS and use this for my Printers.</P><P></P><P>The Problem is that Guest-VLAN is set on more than 100 Switch and this guest-vlan is different on any Switch.</P><P></P><P>Can I read the Geust-VLAN Value so that I can set this via ACS ?</P><P></P><P>Thanks for Answers.</P> Mon, 11 Mar 2019 01:13:23 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681805#M232547 biss-team 2019-03-11T01:13:23Z https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681806#M232548 <HTML><HEAD></HEAD><BODY><P>There is no way to dynamically assign a guest vlan from the ACS server, what version of ios do most of your switches run?</P></BODY></HTML> Sat, 16 Jul 2011 23:46:06 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681806#M232548 Tarik Admani 2011-07-16T23:46:06Z https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681807#M232549 <HTML><HEAD></HEAD><BODY><P>Going a bit against Tarik here but I'm not sure to understand you fully.</P><P>If you have known devices, i.e. their mac addresses are in ACS, this is not guest vlan. This is MAB with dynamic vlan assignment. This is an easy task to do on ACS.</P><P></P><P>If your point is that when ACS doesn't know a device it returns a specific vlan depending on given conditions. It can be possible if you are creative.</P><P>You can set your identity store options to still an "accept" even if the user was not found. From there you can assign a vlan dynamically. But it's technically not a guest vlan. You just grant access to MAB to unknown devices and give them a vlan.</P></BODY></HTML> Sun, 17 Jul 2011 08:17:53 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681807#M232549 Nicolas Darchis 2011-07-17T08:17:53Z https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681808#M232550 <HTML><HEAD></HEAD><BODY><P>Looks like we need some clarity from the scenario, based on the&nbsp; command which is now considered as the "guest vlan" authentication event no response authorize vlan xxx, the acs (assuming a true guest vlan scenario and that mab is disabled) is no longer in the picture and&nbsp; the port authorizes the client based on this command.</P><P></P><P>I agree Nicolas we need to see exactly the issue is,&nbsp; but I am sure we can both agree that there will be some additonal access&nbsp; policies to configure since there are different guest vlans based on&nbsp; which switches the clients are coming in from.</P><P></P><P>thanks,</P></BODY></HTML> Mon, 18 Jul 2011 08:20:51 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681808#M232550 Tarik Admani 2011-07-18T08:20:51Z https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681809#M232551 <HTML><HEAD></HEAD><BODY><P>Thanks for Answers.</P><P>My only Solution is to configure any Switch in his own NDG. Than I can set a VLAN per NDG and my Problem is solved.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 25 Jul 2011 09:20:51 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-authentication-mab-and-set-the-guest-vlan/m-p/1681809#M232551 biss-team 2011-07-25T09:20:51Z