02-23-2010 11:56 AM - edited 03-10-2019 04:58 PM
Hello,
User1 logs on the switch, he belongs to AD group Domain_user and get mapped on ACS Group1 wich send the radius attribut to change VLAN, that part works great.
My problem is when the same user connect with his wifi card... he is still part of the domain_user and get still mapped to group1 on acs but now, the radius values are wrong for the wireless.
Wired production vlan =20
Wireless prod vlan = 120
What i want to do is something like:
ADGroupX+Connect_type = ACS group1
ADGroupX+Connect_type2 = ACS group2
I tried using connection profile but the group mapping are not made at this level. Same goes for NAR, my user should be able to log on wired or wireless user and get the proper vlan not get restricted by the NAR.
One other avenue would be to setup a wireless user/password on the internal database and add it to the proper ACS group but that involve password management and not all 802 client support password auth ( without user intervention )
Any idea?
Solved! Go to Solution.
02-24-2010 03:02 AM
Hi.... this scenario is exactly what Network Access Profiles (NAP) are designed to address. Essentially, NAP allows you to create a complete configuration on a per-network service basis.
So, ACS by default is a single NAP system (well I guess 2 if you include RADIUS and TACACS) where regardless of network service all RADIUS users would be assumed to be using a single device type. NAP allows you to configure per-service, the authentication protocol, group mappings and authorisations.
The first part of NAP requires you to differentiate the authentication requests for each network service. This could be as easy as using the AAA Client ip address or NDG. If thats not possible you can start looking at attributes in the RADIUS request to find attribute values that are unique to the wlan or switch.
Assuming you've managed to do that is a matter of setting up the authenticattion and authorisation policies - but the key thing is that you'll be able to send totally different sets of RADIUS attributes back to the device for the same user.
The UI can take a bit of getting used to, so read the online docs and stick with it!
www.extraxi.com for all your ACS reporting needs
02-24-2010 03:02 AM
Hi.... this scenario is exactly what Network Access Profiles (NAP) are designed to address. Essentially, NAP allows you to create a complete configuration on a per-network service basis.
So, ACS by default is a single NAP system (well I guess 2 if you include RADIUS and TACACS) where regardless of network service all RADIUS users would be assumed to be using a single device type. NAP allows you to configure per-service, the authentication protocol, group mappings and authorisations.
The first part of NAP requires you to differentiate the authentication requests for each network service. This could be as easy as using the AAA Client ip address or NDG. If thats not possible you can start looking at attributes in the RADIUS request to find attribute values that are unique to the wlan or switch.
Assuming you've managed to do that is a matter of setting up the authenticattion and authorisation policies - but the key thing is that you'll be able to send totally different sets of RADIUS attributes back to the device for the same user.
The UI can take a bit of getting used to, so read the online docs and stick with it!
www.extraxi.com for all your ACS reporting needs
02-24-2010 10:19 AM
Thx for the quick reply.
that's what i was testing last night, in my mind i HAD to use domain groups...
what i did is ( in case someone wants to know ):
- Created 2 NDG ( one for Wired and one for wireless device )
- Created 2 NAF ( Network Access Filtering )
- Created 1 RAC ( Radius Authorization Component )
- Created 2 NAP ( Network access profiles )
- NAP definition i added the filter created before
- Inside the NAP, at the authorization rules level, i added the RAC created before
Works great
Wired user are getting the vlan throught the radius attributs and wireless user are getting the right vlan config.
i added Guest vlan on my 2940 and also using MAB Feature.
Thx again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide