Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
449
Views
0
Helpful
4
Replies

group mapping for user contexts with AD

rchester
Level 1
Level 1

‎02-20-2006 05:28 AM - edited ‎03-10-2019 02:28 PM

Is it possible to use an external database with a context to the username in order to assign a VLAN for dot1x authentication?

In other words the same username and password but a different VLAN assignment depinding on the context of the username.

For example we have Ray@con1 and Ray@con2 the same database is queried and only one user named ray exists. However if he logs in with @con1 he gets vlan 10 and if @con2 he gets vlan 20.

Idealy an active directory queery would be ideal but if this is only possible for LDAP then so be it.

A challenge but there must be some clever bod out there?

This is not a proxy acs question.

reload in 25 years
Labels:
0 Helpful
4 Replies 4

thomas.chen
Level 6
Level 6

‎02-24-2006 10:29 AM

802.1x was designed to authenticate hosts on a wired network instead of actual users. Attempting to authenticate users via 802.1x on a wired network may result in undesired behavior such as the dynamic VLAN assignment assigned to a user not being changed until the NIC card releases the port (computer is restarted or powercycled).

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#p22

0 Helpful

darpotter
Level 5
Level 5
In response to thomas.chen

‎02-24-2006 12:58 PM

Not sure I agree with this.

802.1x has been authenticating "users" since the start. Wireless first with a slower uptake on wired (mainly because switch is an existing technology as opposed to wlan that was all new).

NAC is predicated upon 802.1x for user authentication, as is dynamic assignment of VLAN/ACL

Darran.

0 Helpful

darpotter
Level 5
Level 5

‎02-24-2006 01:03 PM

Hi

ACS 4.0 would only take you part of the way. You can create a network access profile (NAP) based on any attribute of the inbound request. So you can authorise off something in the username.

What it wont do is strip off the username realm prior to authenticating..

Only solution i can see is proxy. This would strip off the realm and allow for different VLAN configs without the need to ACS v4.0. It would require several ACS servers though :(

0 Helpful

rchester
Level 1
Level 1
In response to darpotter

‎02-26-2006 10:23 AM

Hi, Thanks for the replys.

Like I said this is not about proxy its about different contexts of the same user in the same database.

Funk radius is able to do this by making multiple queries into an LDAP database. However my client prefers Cisco ACS.

In the end we have created three users with the same name but with a pretend suffix of ",context" which is actualy part of the username. It just means mwe have to maintain 3 username/passwords.

On the subject of user V machine authentication. The commercialy available supplicants work equally well with wired or wireless. However there are issues with the native windows (zero wireless) supplicant when more than one VLAN is needed per machine, but this can be mittigated by writing a little VB script to initiate an authentication and dhcp renew.

reload in 25 years
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents