topic Cisco ACS 5.3 Newbie in Network Access Control

Cisco ACS 5.3 Newbie

cisco-cit — Mon, 11 Mar 2019 02:03:17 GMT

Hi Guys,

I am looking at setting up a Cisco ACS 5.3 for MAC address based VLANs on a 2960 switch.

as anyone done this before? Basiacally what I want is

1. Have a list of devices specified in the ACS with their MAC address

2. Connect the swicth to the ACS

3. When a device is plugged in, the swicth should check with the ACS onto whcih VLAN the host should be on,

Thanks.

Cisco ACS 5.3 Newbie

Eduardo Aliaga — Sun, 13 May 2012 03:19:08 GMT

I guess that step 2 should say "connect the host to the switch".

Please could you be more specific on what you're trying to achieve ?

Cisco ACS 5.3 Newbie

cisco-cit — Sun, 13 May 2012 23:30:54 GMT

Hi,

Effectively what I want is to have a list of known device(laptops/desktops) mac addresses stored on the ACS.

When a device is connected to a switch it should talk to the ACS and check if the mac address is known. The ACS should also tell the switch which VLAN to put it into.

Does this make sense?

I am not sure how to make the switch talk to ACS when a device is plugged into a port.

Re: Cisco ACS 5.3 Newbie

Eduardo Aliaga — Tue, 15 May 2012 02:08:39 GMT

In ACS you should configure to authenticate using "Internal Hosts" (which is the mac address database) and to authorize by using "authentication profiles" (this is where you configure what VLAN to use)

If you are starting I will recommend you to test only authentication. Then if everything is all right you can add the authorization.

ON the switch side you will need to configure something like this


aaa new-model radius-server host x.x.x.x key PASSWORD radius-server vsa send authentication aaa group server radius ACS server x.x.x.x ! ! aaa authentication dot1x default group ACS aaa authorization network default group ACS aaa accounting dot1x default start-stop group ACS interface GigabitEthernetX/X mab authentication order mab authentication port-control auto dot1x pae authenticator

aaa new-model

radius-server host x.x.x.x key PASSWORD
radius-server vsa send authentication

aaa group server radius ACS
server x.x.x.x
!
!
aaa authentication dot1x default group ACS
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS

interface GigabitEthernetX/X
mab
authentication order mab
authentication port-control auto
dot1x pae authenticator

Please rate if it helps

Cisco ACS 5.3 Newbie

cisco-cit — Tue, 15 May 2012 02:12:57 GMT

Thanks,

I cant see what youhave posted about the switch though.

Re: Cisco ACS 5.3 Newbie

cisco-cit — Fri, 25 May 2012 05:02:36 GMT

Thanks Mate,

Looking at the switch I dont apper to have the mab command in interfaces..

It comes up on some other switches though.

I have also not been able to see where to link " authentication profiles" to "hosts"

Re: Cisco ACS 5.3 Newbie

cisco-cit — Fri, 01 Jun 2012 00:54:01 GMT

Ok got it working to a certain extent.

I have internal hosts and I have managed to get them to get network access with an Authorization Profile which gives them access and puts them in a VLAN

Next question is how can I get different host groups to use different Authorization profiles?

Re: Cisco ACS 5.3 Newbie

cisco-cit — Fri, 01 Jun 2012 00:54:25 GMT

Ok got it working to a certain extent.

I have internal hosts and I have managed to get them to get network access with an Authorization Profile which gives them access and puts them in a VLAN

Next question is how can I get different host groups to use different Authorization profiles?