07-14-2011 05:59 AM - edited 03-10-2019 06:13 PM
Hi,
is it possible to set the dot1x guest-vlan on a Catalyst Switch via ACS 5.2 dynamicly.
I want to make MAB with known Devices (FAT-Clients, Notebooks, Desktops, Printers) and unknown Devices.
I will set the VLAN dynamicly with dot1x per ACS. For known FAT-Clients, Notebooks etc. it's running well.
But for Printers it's more difficult because I have about 500 Printers in several IP-Segments on several Switches
and I will not make to much Rules in ACS for Grouping, Mapping and Authority-Rules.
My Idea is to set the Guest-VLAN on every Switch, read them with ACS and use this for my Printers.
The Problem is that Guest-VLAN is set on more than 100 Switch and this guest-vlan is different on any Switch.
Can I read the Geust-VLAN Value so that I can set this via ACS ?
Thanks for Answers.
07-16-2011 04:46 PM
There is no way to dynamically assign a guest vlan from the ACS server, what version of ios do most of your switches run?
07-17-2011 01:17 AM
Going a bit against Tarik here but I'm not sure to understand you fully.
If you have known devices, i.e. their mac addresses are in ACS, this is not guest vlan. This is MAB with dynamic vlan assignment. This is an easy task to do on ACS.
If your point is that when ACS doesn't know a device it returns a specific vlan depending on given conditions. It can be possible if you are creative.
You can set your identity store options to still an "accept" even if the user was not found. From there you can assign a vlan dynamically. But it's technically not a guest vlan. You just grant access to MAB to unknown devices and give them a vlan.
07-18-2011 01:20 AM
Looks like we need some clarity from the scenario, based on the command which is now considered as the "guest vlan" authentication event no response authorize vlan xxx, the acs (assuming a true guest vlan scenario and that mab is disabled) is no longer in the picture and the port authorizes the client based on this command.
I agree Nicolas we need to see exactly the issue is, but I am sure we can both agree that there will be some additonal access policies to configure since there are different guest vlans based on which switches the clients are coming in from.
thanks,
07-25-2011 02:20 AM
Thanks for Answers.
My only Solution is to configure any Switch in his own NDG. Than I can set a VLAN per NDG and my Problem is solved.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide