Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
4
Replies

ACS 5.1 Authentication, MAB and set the Guest-VLAN

biss-team
Level 1
Level 1

‎07-14-2011 05:59 AM - edited ‎03-10-2019 06:13 PM

Hi,

is it possible to set the dot1x guest-vlan on a Catalyst Switch via ACS 5.2 dynamicly.

I want to make MAB with known Devices (FAT-Clients, Notebooks,  Desktops, Printers) and unknown Devices.

I will set the VLAN dynamicly with dot1x per ACS. For known FAT-Clients, Notebooks etc. it's running well.

But for Printers it's more difficult because I have about 500 Printers in several IP-Segments on several Switches

and I will not make to much Rules in ACS for Grouping, Mapping and Authority-Rules.

My Idea is to set the Guest-VLAN on every Switch, read them with ACS and use this for my Printers.

The Problem is that Guest-VLAN is set on more than 100 Switch and this guest-vlan is different on any Switch.

Can I read the Geust-VLAN Value so that I can set this via ACS ?

Thanks for Answers.

Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎07-16-2011 04:46 PM

There is no way to dynamically assign a guest vlan from the ACS server, what version of ios do most of your switches run?

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee

‎07-17-2011 01:17 AM

Going a bit against Tarik here but I'm not sure to understand you fully.

If you have known devices, i.e. their mac addresses are in ACS, this is not guest vlan. This is MAB with dynamic vlan assignment. This is an easy task to do on ACS.

If your point is that when ACS doesn't know a device it returns a specific vlan depending on given conditions. It can be possible if you are creative.

You can set your identity store options to still an "accept" even if the user was not found. From there you can assign a vlan dynamically. But it's technically not a guest vlan. You just grant access to MAB to unknown devices and give them a vlan.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Nicolas Darchis

‎07-18-2011 01:20 AM

Looks like we need some clarity from the scenario, based on the  command which is now considered as the "guest vlan" authentication event no response authorize vlan xxx, the acs (assuming a true guest vlan scenario and that mab is disabled) is no longer in the picture and  the port authorizes the client based on this command.

I agree Nicolas we need to see exactly the issue is,  but I am sure we can both agree that there will be some additonal access  policies to configure since there are different guest vlans based on  which switches the clients are coming in from.

thanks,

0 Helpful

biss-team
Level 1
Level 1
In response to Tarik Admani

‎07-25-2011 02:20 AM

Thanks for Answers.

My only Solution is to configure any Switch in his own NDG. Than I can set a VLAN per NDG and my Problem is solved.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents