topic ACS 4.2 MAC authentication and dynamic vlan assignment in Wireless

ACS 4.2 MAC authentication and dynamic vlan assignment

codflanglers — Mon, 05 Jul 2021 10:39:07 GMT

Is this possible to do with ACS 4.2? Is there a suitable document on this? There is no access to NAC.

yes it's very so much quite

ali aqrabawi — Tue, 28 Jul 2015 18:49:02 GMT

yes it's very so much quite possible ,

++see below Doc :

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/configuration/guide/acs42_config_guide/nac_conf.html

read "Configure Radius Authorization Components"

these are the three attributes need to be configured for vlan ID override :

•Tunnel-Type (attribute 64)—Specifies the type of tunnel that is set up for the user to connect. In the sample RACs, this value is set to type 10, VLAN, which indicates that the user is granted access to a VLAN that is configured on the switch.

•Tunnel-Medium-Type (attribute 65)—Indicates which protocol to use over the tunnel. In the sample RACs, this is set to type 6, which specifies an 802 protocol. In the NAC/NAP environment, this is the 802.1x protocol.

•Tunnel-Private-Group-ID (attribute 81)—Indicates the group ID for the VLAN tunnel. In the sample RAC, this is set to Quarantine, which denotes a quarantine VLAN to which devices are assigned. In actual practice, you should set this value to a value that is configured on the switch.

+++on the WLC enable MAC filtering and aaa override on the WLAN,

++add the MAC address on the radius server as username and password ,

Please refer to the below

sobhardw — Tue, 28 Jul 2015 22:08:12 GMT

Please refer to the below link :

http://www.cisco.com/c/en/us/support/security/secure-acs-4-2-windows/model.html#~tab-documents

Many hosts that ACS

mohanak — Tue, 04 Aug 2015 09:43:15 GMT

Many hosts that ACS authenticates run agent software that requests access to network resources and receives authorization from ACS. However, some hosts do not run agent software. For example:

•Many 802.1x port security deployments authenticate hosts that do not have appropriate security agent software, such as Cisco Trust Agent.

•When an agentless host is connected to a Layer 2 device and an Extensible Authentication Protocol over User Datagram Protocol timeout (EoU timeout) occurs, in-band posture validation cannot occur.

ACS solves this problem by using the MAC address of the host device to identify and authenticate the host. This technique is called MAC authentication bypass (MAB).

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/configuration/guide/acs42_config_guide/noagent.html#wp1010943

Configure ACS for Dynamic

Prakash Parvathala — Tue, 04 Aug 2015 13:29:23 GMT

Configure ACS for Dynamic VLAN Assignment

Dynamic VLAN assignment is one feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco Secure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

Please refer the below link for the complete configuration guide .

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99121-vlan-acs-ad-config.html