Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


group mapping for user contexts with AD

Is it possible to use an external database with a context to the username in order to assign a VLAN for dot1x authentication?

In other words the same username and password but a different VLAN assignment depinding on the context of the username.

For example we have Ray@con1 and Ray@con2 the same database is queried and only one user named ray exists. However if he logs in with @con1 he gets vlan 10 and if @con2 he gets vlan 20.

Idealy an active directory queery would be ideal but if this is only possible for LDAP then so be it.

A challenge but there must be some clever bod out there?

This is not a proxy acs question.

reload in 25 years
Frequent Contributor

802.1x was designed to authenticate hosts on a wired network instead of actual users. Attempting to authenticate users via 802.1x on a wired network may result in undesired behavior such as the dynamic VLAN assignment assigned to a user not being changed until the NIC card releases the port (computer is restarted or powercycled).

Not sure I agree with this.

802.1x has been authenticating "users" since the start. Wireless first with a slower uptake on wired (mainly because switch is an existing technology as opposed to wlan that was all new).

NAC is predicated upon 802.1x for user authentication, as is dynamic assignment of VLAN/ACL




ACS 4.0 would only take you part of the way. You can create a network access profile (NAP) based on any attribute of the inbound request. So you can authorise off something in the username.

What it wont do is strip off the username realm prior to authenticating..

Only solution i can see is proxy. This would strip off the realm and allow for different VLAN configs without the need to ACS v4.0. It would require several ACS servers though :(

Hi, Thanks for the replys.

Like I said this is not about proxy its about different contexts of the same user in the same database.

Funk radius is able to do this by making multiple queries into an LDAP database. However my client prefers Cisco ACS.

In the end we have created three users with the same name but with a pretend suffix of ",context" which is actualy part of the username. It just means mwe have to maintain 3 username/passwords.

On the subject of user V machine authentication. The commercialy available supplicants work equally well with wired or wireless. However there are issues with the native windows (zero wireless) supplicant when more than one VLAN is needed per machine, but this can be mittigated by writing a little VB script to initiate an authentication and dhcp renew.

reload in 25 years
Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel