Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
2
Replies

ACS 5.2 Assign VLAN based on AD group

Go to solution
messagevector
Level 1
Level 1

‎04-19-2011 07:03 AM - edited ‎03-10-2019 06:00 PM

I'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:

Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab

and selected the group name from the AD. If I understand correctly, I should now see this group under:

Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name

However, it does not. Am I missing something?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎04-20-2011 12:50 AM

No.

"VLAN id/name" is, at the name clearly states, a vlan id or name. Not a "group name".

You don't assign a group name as vlan.

The group name has to go in the "if" condition of your authorization profile. If "AD user group= x" then assign this vlan.

Then the vlan id/name is you typing manually what vlan relates to the AD user group.

If it creates too many rules because you have a lot of AD groups, what you can do is create an AD attribute in AD storing the vlan number or name and ACS will simply return that.

Nicolas

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎04-20-2011 12:50 AM

No.

"VLAN id/name" is, at the name clearly states, a vlan id or name. Not a "group name".

You don't assign a group name as vlan.

The group name has to go in the "if" condition of your authorization profile. If "AD user group= x" then assign this vlan.

Then the vlan id/name is you typing manually what vlan relates to the AD user group.

If it creates too many rules because you have a lot of AD groups, what you can do is create an AD attribute in AD storing the vlan number or name and ACS will simply return that.

Nicolas

0 Helpful

Go to solution
messagevector
Level 1
Level 1
In response to Nicolas Darchis

‎04-22-2011 07:49 AM

Thanks, that seemed to point me in the right direction. Basically, I selected Static and then put in the VLAN ID that I wanted to assign to the user (based on his/her group in AD). This works for me since I only have a handful of AD groups that need special VLAN assignment; all others get the "access" VLAN specified on the switchport. Your approach on getting the VLAN ID fom AD makes sense also. Thanks.

0 Helpful
Customers Also Viewed These Support Documents