ACS Vlan assignment with Windows AD Authentication

dprakken1 · ‎08-31-2006

Hola, I have a customer hosting multiple MS AD domains, each on a separate VLAN. They want to use ACS to authenticate inbound VPN clients into their respective domains (VLAN's), based on login credentials. Can this be done?

Thanks - Dave

darpotter · ‎09-01-2006

Yes this can be done... providing users are different groups.

You might have to create an AD group for VLAN then in ACS map the AD VLAN groups to ACS groups - each with appropriate RADIUS VLAN attributes.

The only issue then is that if you were already mapping AD groups (eg admin, employee, contractor) etc.. its "game over"

Darran

jasjsing · ‎09-04-2006

You need to map users of different Vlan w/ different groups in ACS bases on their domians. Each group in ACS should be configured for Dynamic ACls to be downloaded after authentication for that particular user. This way you can restrict the access of the user to his Vlan only .

Jasjeet

dprakken1 · ‎09-05-2006

Thanks for the help! I will try it out on-site next week. - Dave

dprakken1 · ‎09-15-2006

If each domain is on a different VLAN, does the ACS box need to be on a trunking port on the switch?

Dave