cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
955
Views
0
Helpful
1
Replies

Dynamic VLAN assignment based on different AD attributes

devyatkin
Level 1
Level 1

Hi ALL,
We use dynamic VLAN assignment with 802.1x&ACS&AD. ACS assign VLAN to user based on User Group in AD.
Now we need to install new site with 2000 users. However most of those users belong to single User Group in AD.
So in this enviroment we unable to use current logic because all users will have to be in single VLAN.
Is there any way to allocate users in different VLANs and make VLAN assignment based on other AD attributes, except User Group? Or make some kind of load balancing in ACS?
ACS version we use is 4.2.

1 Reply 1

pablo1711
Level 1
Level 1

Under ACS 5.1 this is almost certainly possible - Under 4.2..... hmm I don't think so.

However, as AD users can be member of multiple groups is there any reason why your 2000 users on your new site can't have a number of AD security groups created, which you can then map against ACS group to give you your configuration basis for VLAN overrides?

So assuming your new users are in one AD group called Users. There is no technical reason they could not also be part of a group called GroundFloorUsers, FirstFloorUsers and so on.  Then you can map GroundFloorUsers to a new ACS group and input the VLAN override details.

You could have used LDAP as an authentication request as a second external database which you can map against different ACS groups but I am pretty sure this configuration doesn't support 802.1x (only PAP/ASCII type requests)

Paul