Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
5
Helpful
5
Replies

IP address assisgnment w/ Secure ACS

georgeburtz
Level 1
Level 1

‎09-27-2006 04:50 AM - edited ‎03-10-2019 02:46 PM

I have been trying to set up a switch to do the following:

1) Use 802.1x port level authentication

2) Assign VLAN to the client based on username/group

3) Assign IP address to the client

I am using 3750 switches w/ IOS ver 12.2.25 and ACS server ver 3.3.

The port based auth and the vlan assignment works fine, but I cannot get the ip assignment to work. The result is the same if I use Microsoft IAS as the radius server instead of ACS. Is there anything else I should do to get this to work?

Thanks..

Labels:
0 Helpful
5 Replies 5

pbunet
Level 1
Level 1

‎09-28-2006 03:46 AM

Hi,

Please let me know what aaa commands are we using here.

The command required for authorization of 802.1x clients.

aaa authorization network default group radius

Regards,

Puneet

0 Helpful

georgeburtz
Level 1
Level 1
In response to pbunet

‎09-28-2006 04:08 AM

Here is the AAA section of the config

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs line

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default local

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+ local

aaa authorization network default group radius

aaa authorization configuration default group radius

Thanks...

0 Helpful

pbunet
Level 1
Level 1
In response to georgeburtz

‎09-28-2006 05:07 AM

I did some research and found that ipaddress assignment is not supported by 802.1x .

IEEE 802.1X does not provide a mechanism for IP address assignment. Therefore the Framed-IP-Address and Framed-IP-Netmask attributes can only be used by IEEE 802.1X Authenticators that support IP address

assignment mechanisms. Typically this capability is supported by layer 3 devices.

More specially :"attributes can only be used by IEEE 802.1X Authenticators that

support IP address assignment mechanisms"

IMO, that means these "IP address assignment mechanisms" are *not* 802.1X but could for example be ppp, pptp, l2tp,...

georgeburtz
Level 1
Level 1
In response to pbunet

‎09-28-2006 06:02 AM

Thanks for the help. I'll look into those.

0 Helpful

tyagi.v
Level 1
Level 1

‎10-04-2006 11:53 PM

Hi,

How did you configure VLAN assignment to the client based on username/group??

Thanks

0 Helpful
Customers Also Viewed These Support Documents