topic Re: Dynamic VLAN assignment for wired and wireless connections in Network Access Control

Dynamic VLAN assignment for wired and wireless connections

etamminga — Sun, 10 Mar 2019 21:10:04 GMT

Hi,

I've setup our Cisco ACS 3.3 appliance to authenticate users connecting via wireless and wired connections (802.1x). I've succesfully managed the above but now would like to assign authenticated users to a specific VLAN.

Can I setup ACS to assign different VLAN-ids based on the AAA-client used?

We've got roaming users connecting to the network at multiple locations.

On location A I would like wired users to be assigned to VLAN 100 and wireless users to VLAN 101.

On location B I would like wired users to be assigned VLAN 50 and 51 for wired and wireless connections.

Is the above possible? So far I've only been able to specify one VLAN per user / group.

Re: Dynamic VLAN assignment for wired and wireless connections

ecarrasquillo — Tue, 06 Sep 2005 14:23:08 GMT

Are you using radius as the authentication, if you are, you can setup the attributes under the user to specify the VLAN you want them to be assigned to.

Re: Dynamic VLAN assignment for wired and wireless connections

etamminga — Tue, 06 Sep 2005 15:01:41 GMT

Yes we're useing Radius authentication. I know I can assign the user a VLAN. But what I actually want is to assign the user different VLAN-ids based on the location they're requesting access from.

So wireless users get vlan 101 (for example) and wired users get vlan 102.

Erik

Re: Dynamic VLAN assignment for wired and wireless connections

alessandro.dona — Thu, 07 Jan 2010 16:49:03 GMT

Hi Erik,

did you solved your problems?

I have the same issue aand i would like to know if it is possible or not assign VLAN-ID based on AAA client type.

Regards,

Alessandro.

Re: Dynamic VLAN assignment for wired and wireless connections

etamminga — Fri, 08 Jan 2010 08:20:29 GMT

Hi Alessandro,

We gave up on this with ACS 3.3.

The newer ACSes have more options with policies but I finally reverted to using IAS/NPS on which this is a simple task.

Regards,

Erik

Re: Dynamic VLAN assignment for wired and wireless connections

alessandro.dona — Fri, 08 Jan 2010 08:39:52 GMT

thx

Re: Dynamic VLAN assignment for wired and wireless connections

Kent Heide — Fri, 08 Jan 2010 22:39:58 GMT

It's easy. Under group settings the last three attributes (given you have enabled them globally) are;

Tunnel-Type (Should be set to VLAN)

Tunnel-Medium-Type (Should be set to 802)

Tunnel-Private-Group-ID (Your vlan id you wish to assign)

Keep in mind you need to enable these settings first under Interface Configuration so they will show up under group settings.

After you set up the local groups and map them to wlans. You can via External Databases -> Database Group Mappings map the local groups to Active Directory groups.

Voila.. dynamic vlan assigment.

Re: Dynamic VLAN assignment for wired and wireless connections

etamminga — Mon, 11 Jan 2010 09:51:58 GMT

Hi Kent,

You are correct when only one vlan-id has to be defined per user in the entire enterprise.

My question started with asking for multiple vlan-id's, assigned based on access-device (switch/ap/vpn/...). Your solution is not a solution for such an environment. A user can only be a member of one group, and there is no relation between access-devices and users in 3.3.

Regards,

Erik

Re: Dynamic VLAN assignment for wired and wireless connections

leonardo.fell — Thu, 26 May 2011 21:08:40 GMT

Alessandro and Erik,

I'm into the same situation.

Could you guys explain me exactly what you have done to solve this problem?

Best regards!

Leonardo

Re: Dynamic VLAN assignment for wired and wireless connections

leonardofell — Thu, 26 May 2011 21:17:07 GMT

test

Re: Dynamic VLAN assignment for wired and wireless connections

alessandro.dona — Fri, 27 May 2011 07:07:53 GMT

Hi leonard,

main step are for wireless are(using controller+radius):

1 Use 802.1x as auth method for you wlan

2 On controller select the option AAA Override (Advamced TAB under WLAN)

3 Configure your radius (and cliente) to pass to controller tunnel type you need

You have to do the most on your Radius but there are good docs about "how to implement" Dynamic vlam assignment using ACS or IAS

Regards

Re: Dynamic VLAN assignment for wired and wireless connections

leonardo.fell — Fri, 27 May 2011 17:07:04 GMT

Thanks foy your reply.

I already have a wired 802.1x implemented in my network using freeradius as RADIUS server.

I'd like to use a different vlan on the wireless 802.1x.

Example: A user has the "TunnelPrivateGroupe=2" atribute . It means he will join the vlan with ID 2 when authenticated. On the wired it works properly, but I dont want to open this vlan (2) on my wireless network. I'd like to use another vlan to this user.

Regards!!