02-13-2012 11:02 AM - edited 03-10-2019 06:49 PM
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
Regards,
Juan Carlos Arias
Solved! Go to Solution.
02-13-2012 11:09 AM
Hello,
Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?
Regards.
02-13-2012 11:09 AM
Hello,
Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?
Regards.
02-13-2012 11:11 AM
Hello Carlos,
Would be for AD.
Regards,
Juan Carlos Arias
02-13-2012 11:24 AM
Juan Carlos,
On ACS 5.x we can get the scenario working but we need to define the Static IP Address users on the Internal ACS database as well. I have not managed to configured it on a different way.
I have handled one or two cases with this request and we always get it working as described on the attached document.
NOTE: The document refers to a RADIUS Identity Server (ACS 4.x). You can refer on your ACS to AD1 instead.
If this was helpful please rate.
Regards.
02-13-2012 12:49 PM
Hi Carlos,
I follow all steps from your file, but the IP address I wish to be assign it (192.168.240.29), is not, it's getting an IP address from DHCP pool (192.168.240.26).
Any idea where can I check this issue??
This is a log from Radius Authentication:
User-Name=MONARCH\juancarlos.arias |
I appreciate your time.
Regards,
Juan Carlos Arias
02-13-2012 12:57 PM
Juan Carlos,
I am assuming this is for 802.1x wired. In that case, is the switch configured "aaa authorization network" command?
Regards.
02-13-2012 02:31 PM
Hi Carlos, yes, that line is configured, this is my IOS device configuration:
aaa group server radius RADIUS-Auth
server name RADIUS-8021x
!
aaa authentication enable default group RADIUS-Auth
aaa authentication dot1x default group RADIUS-Auth
aaa authorization config-commands
aaa authorization network default group RADIUS-Auth
aaa authorization auth-proxy default group RADIUS-Auth
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting dot1x default start-stop group RADIUS-Auth
aaa accounting system default start-stop group RADIUS-Auth
!
radius server RADIUS-8021x
address ipv4 192.168.240.174 auth-port 1645 acct-port 1646
key 7 0822434008090004110A
!
02-13-2012 02:39 PM
Juan Carlos,
Performing a deeper research I found the answer
"The IEEE 802.1x standard does not provide a mechanism for IP address assignment. Therefore, configuration of the Framed-IP-Address and Framed-IP-Netmask attributes as Reply-Items in a user’s profile will have no effect. Either a DHCP server should be used, or the station should be configured with a static IP address."
The Framed-IP-Address attribute works for VPN Connections but not for 802.1x.
I hope this clarifies it.
Regards.
02-13-2012 02:51 PM
Bad news Carlos
Thanks for your complete explanation and your time.
One last question, I remember that I could do this with ACS v4.2, not sure but I don't want to waste time configuring a lab with this ACS version, is this true??
Regards,
Juan Carlos Arias
02-13-2012 03:20 PM
Hello Juan Carlos,
ACS 4.x had the option to configure a Static IP address under the User Setup:
However, I do not remember from the top of my head if the ACS 4.x included that value under the Framed-IP Address as well which should not work on 802.1x either.
Please, mark the RFC response as correct if you feel it clarified your concern.
Regards.
02-13-2012 03:40 PM
Ok Carlos, thanks for your answers, I already vote at the beginning for your comments.
Regards,
Juan Carlos Arias
06-27-2014 08:24 AM
hi ,
how can i specifiethe subnet mask that i want to apply to the ip address assigned.
becuase the acs apply the default mask(the mask of the class of ip ,ex: if we give a user 10.8.8.9 as address the acs apply te mask 255..0.0.0 to it)
how can i specifie that should apply /24 mask
02-13-2012 02:41 PM
Juan Carlos,
You can find the same information on the RF for 802.1x:
http://www.rfc-editor.org/rfc/rfc3580.txt
3.7. Framed-IP-Address, Framed-IP-Netmask IEEE 802.1X does not provide a mechanism for IP address assignment. Therefore the Framed-IP-Address and Framed-IP-Netmask attributes can only be used by IEEE 802.1X Authenticators that support IP address assignment mechanisms. Typically this capability is supported by layer 3 devices.
If this was helpful please rate.
Regards.
02-13-2012 11:18 AM
Sorry, select wrong option, I select answer correct. Do I have to re-open?
02-13-2012 11:25 AM
Juan Carlos,
Do not worry. Refer to the answer above
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide