Re: MAB and dynamic assignment of vlans

sidcracker · ‎03-12-2011

Hello,

Basically what i want to achieve is that when users and connecting to the network via the switch, the switch passes the MAC address to the Radius in ACS, which authenticates it in its database and allows the client to access the network based on the MAC address (MAC Authentication bypass) and also provides the VLAN information based on the AD username.

Is it possible for the MAC details to be populated in the Active Directory database instead of the internal ACS database?

Is this something that can be done? I am quite familiar with integrating AD into ACS and device management. But not too sure about MAC authentication bypass?

Can someone explain how to do the VLAN assignment in ACS 5.1 or 5.2?

Any help will be appreciated

Thanks

slawford · ‎03-15-2011

Hi,

As long as you configure the username and password in AD to be the MAC address, ACS will forward the auth request to AD and treat it like any other user. One thing to keep in mind here is that having the username and password as the same value may violate your AD security policy.

In regards to Dynamic VLAN assigment, all you need to do is configure ACS to return the VLAN IDName in the Access-Accept. This is configured under an Authorization profile. Detailed steps on how to configure this in ACS 5.x can be found on page 10 of the following guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/whitepaper_c27-574041.pdf

I look forward to hearing how you go.

Steve.