Re: Dynamic VLAN assignment for wired and wireless connections

etamminga · ‎05-25-2005

Hi,

I've setup our Cisco ACS 3.3 appliance to authenticate users connecting via wireless and wired connections (802.1x). I've succesfully managed the above but now would like to assign authenticated users to a specific VLAN.

Can I setup ACS to assign different VLAN-ids based on the AAA-client used?

We've got roaming users connecting to the network at multiple locations.

On location A I would like wired users to be assigned to VLAN 100 and wireless users to VLAN 101.

On location B I would like wired users to be assigned VLAN 50 and 51 for wired and wireless connections.

Is the above possible? So far I've only been able to specify one VLAN per user / group.

ecarrasquillo · ‎09-06-2005

Are you using radius as the authentication, if you are, you can setup the attributes under the user to specify the VLAN you want them to be assigned to.

etamminga · ‎09-06-2005

Yes we're useing Radius authentication. I know I can assign the user a VLAN. But what I actually want is to assign the user different VLAN-ids based on the location they're requesting access from.

So wireless users get vlan 101 (for example) and wired users get vlan 102.

Erik

alessandro.dona · ‎01-07-2010

Hi Erik,

did you solved your problems?

I have the same issue aand i would like to know if it is possible or not assign VLAN-ID based on AAA client type.

Regards,

Alessandro.

etamminga · ‎01-08-2010

Hi Alessandro,

We gave up on this with ACS 3.3.

The newer ACSes have more options with policies but I finally reverted to using IAS/NPS on which this is a simple task.

Regards,

Erik

alessandro.dona · ‎01-08-2010

thx

Kent Heide · ‎01-08-2010

It's easy. Under group settings the last three attributes (given you have enabled them globally) are;

Tunnel-Type (Should be set to VLAN)

Tunnel-Medium-Type (Should be set to 802)

Tunnel-Private-Group-ID (Your vlan id you wish to assign)

Keep in mind you need to enable these settings first under Interface Configuration so they will show up under group settings.

After you set up the local groups and map them to wlans. You can via External Databases -> Database Group Mappings map the local groups to Active Directory groups.

Voila.. dynamic vlan assigment.

etamminga · ‎01-11-2010

Hi Kent,

You are correct when only one vlan-id has to be defined per user in the entire enterprise.

My question started with asking for multiple vlan-id's, assigned based on access-device (switch/ap/vpn/...). Your solution is not a solution for such an environment. A user can only be a member of one group, and there is no relation between access-devices and users in 3.3.

Regards,

Erik

leonardo.fell · ‎05-26-2011

Alessandro and Erik,

I'm into the same situation.

Could you guys explain me exactly what you have done to solve this problem?

Best regards!

Leonardo

leonardofell · ‎05-26-2011

test

alessandro.dona · ‎05-27-2011

Hi leonard,

main step are for wireless are(using controller+radius):

1 Use 802.1x as auth method for you wlan

2 On controller select the option AAA Override (Advamced TAB under WLAN)

3 Configure your radius (and cliente) to pass to controller tunnel type you need

You have to do the most on your Radius but there are good docs about "how to implement" Dynamic vlam assignment using ACS or IAS

Regards

leonardo.fell · ‎05-27-2011

Thanks foy your reply.

I already have a wired 802.1x implemented in my network using freeradius as RADIUS server.

I'd like to use a different vlan on the wireless 802.1x.

Example: A user has the "TunnelPrivateGroupe=2" atribute . It means he will join the vlan with ID 2 when authenticated. On the wired it works properly, but I dont want to open this vlan (2) on my wireless network. I'd like to use another vlan to this user.

Regards!!