This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
Regards,
Juan Carlos Arias
Solved! Go to Solution.
Hello,
Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?
Regards.
Hello,
Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?
Regards.
Hello Carlos,
Would be for AD.
Regards,
Juan Carlos Arias
Juan Carlos,
On ACS 5.x we can get the scenario working but we need to define the Static IP Address users on the Internal ACS database as well. I have not managed to configured it on a different way.
I have handled one or two cases with this request and we always get it working as described on the attached document.
NOTE: The document refers to a RADIUS Identity Server (ACS 4.x). You can refer on your ACS to AD1 instead.
If this was helpful please rate.
Regards.
Hi Carlos,
I follow all steps from your file, but the IP address I wish to be assign it (192.168.240.29), is not, it's getting an IP address from DHCP pool (192.168.240.26).
Any idea where can I check this issue??
This is a log from Radius Authentication:
User-Name=MONARCH\juancarlos.arias |
I appreciate your time.
Regards,
Juan Carlos Arias
Juan Carlos,
I am assuming this is for 802.1x wired. In that case, is the switch configured "aaa authorization network" command?
Regards.
Hi Carlos, yes, that line is configured, this is my IOS device configuration:
aaa group server radius RADIUS-Auth
server name RADIUS-8021x
!
aaa authentication enable default group RADIUS-Auth
aaa authentication dot1x default group RADIUS-Auth
aaa authorization config-commands
aaa authorization network default group RADIUS-Auth
aaa authorization auth-proxy default group RADIUS-Auth
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting dot1x default start-stop group RADIUS-Auth
aaa accounting system default start-stop group RADIUS-Auth
!
radius server RADIUS-8021x
address ipv4 192.168.240.174 auth-port 1645 acct-port 1646
key 7 0822434008090004110A
!
Juan Carlos,
Performing a deeper research I found the answer
"The IEEE 802.1x standard does not provide a mechanism for IP address assignment. Therefore, configuration of the Framed-IP-Address and Framed-IP-Netmask attributes as Reply-Items in a user’s profile will have no effect. Either a DHCP server should be used, or the station should be configured with a static IP address."
The Framed-IP-Address attribute works for VPN Connections but not for 802.1x.
I hope this clarifies it.
Regards.
Bad news Carlos
Thanks for your complete explanation and your time.
One last question, I remember that I could do this with ACS v4.2, not sure but I don't want to waste time configuring a lab with this ACS version, is this true??
Regards,
Juan Carlos Arias
Hello Juan Carlos,
ACS 4.x had the option to configure a Static IP address under the User Setup:
However, I do not remember from the top of my head if the ACS 4.x included that value under the Framed-IP Address as well which should not work on 802.1x either.
Please, mark the RFC response as correct if you feel it clarified your concern.
Regards.
Ok Carlos, thanks for your answers, I already vote at the beginning for your comments.
Regards,
Juan Carlos Arias
hi ,
how can i specifiethe subnet mask that i want to apply to the ip address assigned.
becuase the acs apply the default mask(the mask of the class of ip ,ex: if we give a user 10.8.8.9 as address the acs apply te mask 255..0.0.0 to it)
how can i specifie that should apply /24 mask
Juan Carlos,
You can find the same information on the RF for 802.1x:
http://www.rfc-editor.org/rfc/rfc3580.txt
3.7. Framed-IP-Address, Framed-IP-Netmask IEEE 802.1X does not provide a mechanism for IP address assignment. Therefore the Framed-IP-Address and Framed-IP-Netmask attributes can only be used by IEEE 802.1X Authenticators that support IP address assignment mechanisms. Typically this capability is supported by layer 3 devices.
If this was helpful please rate.
Regards.
Sorry, select wrong option, I select answer correct. Do I have to re-open?
Juan Carlos,
Do not worry. Refer to the answer above
Regards.