cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7649
Views
10
Helpful
14
Replies

ACS 5.3 Assign static IP address depending of authenticated user

Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??

Regards,

Juan Carlos Arias

1 Accepted Solution

Accepted Solutions

camejia
Level 3
Level 3

Hello,

Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?

Regards.

View solution in original post

14 Replies 14

camejia
Level 3
Level 3

Hello,

Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?

Regards.

Hello Carlos,

Would be for AD.

Regards,

Juan Carlos Arias

Juan Carlos,

On ACS 5.x we can get the scenario working but we need to define the Static IP Address users on the Internal ACS database as well. I have not managed to configured it on a different way.

I have handled one or two cases with this request and we always get it working as described on the attached document.

NOTE: The document refers to a RADIUS Identity Server (ACS 4.x). You can refer on your ACS to AD1 instead.

If this was helpful please rate.

Regards.

Hi Carlos,

I follow all steps from your file, but the IP address I wish to be assign it (192.168.240.29), is not, it's getting an IP address from DHCP pool (192.168.240.26).

Any idea where can I check this issue??

This is a log from Radius Authentication:

Authentication Result

User-Name=MONARCH\juancarlos.arias
Framed-IP-Address=192.168.240.29
Class=CACS:ACS-CONAPESCA/118540298/2
Tunnel-Type=(tag=1) VLAN
Tunnel-Medium-Type=(tag=1) 802
Tunnel-Private-Group-ID=(tag=1) 60

I appreciate your time.

Regards,

Juan Carlos Arias

Juan Carlos,

I am assuming this is for 802.1x wired. In that case, is the switch configured "aaa authorization network" command?

Regards.

Hi Carlos, yes, that line is configured, this is my IOS device configuration:

aaa group server radius RADIUS-Auth

server name RADIUS-8021x

!

aaa authentication enable default group RADIUS-Auth

aaa authentication dot1x default group RADIUS-Auth

aaa authorization config-commands

aaa authorization network default group RADIUS-Auth

aaa authorization auth-proxy default group RADIUS-Auth

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting dot1x default start-stop group RADIUS-Auth

aaa accounting system default start-stop group RADIUS-Auth

!

radius server RADIUS-8021x

address ipv4 192.168.240.174 auth-port 1645 acct-port 1646

key 7 0822434008090004110A

!

Juan Carlos,

Performing a deeper research I found the answer

"The IEEE 802.1x standard does not provide a mechanism for IP address assignment.  Therefore, configuration of the Framed-IP-Address and Framed-IP-Netmask attributes as Reply-Items in a user’s profile will have no effect. Either a DHCP server should be used, or the station should be configured with a static IP address."

The Framed-IP-Address attribute works for VPN Connections but not for 802.1x.

I hope this clarifies it.

Regards.

Bad news Carlos 

Thanks for your complete explanation and your time.

One last question, I remember that I could do this with ACS v4.2, not sure but I don't want to waste time configuring a lab with this ACS version, is this true??

Regards,

Juan Carlos Arias

Hello Juan Carlos,

ACS 4.x had the option to configure a Static IP address under the User Setup:

However, I do not remember from the top of my head if the ACS 4.x included that value under the Framed-IP Address as well which should not work on 802.1x either.

Please, mark the RFC response as correct if you feel it clarified your concern.

Regards.

Ok Carlos, thanks for your answers, I already vote at the beginning for your comments.

Regards,

Juan Carlos Arias

hi ,

how can i specifiethe subnet  mask that i want to apply to the ip address assigned.

becuase the acs apply the default mask(the mask of the class of ip ,ex: if we give a user 10.8.8.9 as address the acs apply te mask 255..0.0.0 to it)

how can i specifie that should apply /24 mask

Juan Carlos,

You can find the same information on the RF for 802.1x:

http://www.rfc-editor.org/rfc/rfc3580.txt

3.7.  Framed-IP-Address, Framed-IP-Netmask

   IEEE 802.1X does not provide a mechanism for IP address assignment.
   Therefore the Framed-IP-Address and Framed-IP-Netmask attributes can
   only be used by IEEE 802.1X Authenticators that support IP address
   assignment mechanisms.  Typically this capability is supported by
   layer 3 devices.

If this was helpful please rate.

Regards.

Sorry, select wrong option, I select answer correct.  Do I have to re-open?

Juan Carlos,

Do not worry. Refer to the answer above

Regards.