01-16-2014 12:07 PM - edited 03-10-2019 09:17 PM
Hi All,
We have to provide access control for users using NAP and Cisco 2960s switches.
The request is to have only domain users authenticate to the operations vlan, non domain users will be assigned to a guest network.
What would be the configs on the switch to allow this config to work? What will force the switch port to assign to the operations vlan when authenticated to the domain?
Thanks much
01-19-2014 10:56 PM
Hi,
I suppsoe you are using ACS 4.x version.
you need to config dot1x under the switchport. use the default VLAN as the guest VLAN.
You need to configure the ACS to allow access to domain users only (by forcing MACHINE authentication with PEAP for example).
In the NAP, you need to match the NAP selection on the NAS-IP-Address of the switch so that this NAP is only selected if this switch sends the request.
Now, inside the NAP you have to allow only PEAP-MSCHAPv2. (you already forced machine authenticaiton with PEAP from under external DB config already as per earlier step).
When auth works, from under the user/or group, send the attributes to assign a specific VLAN to the user.
Otherwise, if the user auth is not successful it will be put in the default vlan which is the guest vlan.
with ACS 5.x version, doing this is more flexible.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
01-20-2014 06:20 AM
HI Amjad,
Thanks for the information.
I am not using the ACS. Just the NAP and cisco switches. Will this work?
I have read this port authentication for the switch with radius authentication but not sure whats the difference with the NAP.
Can you explain a scenario for NAP and switches to achieve this scenario.
01-20-2014 09:51 PM
Hi,
what do you mean by NAP?
I know that NAP: Network Access Profile, is part of the ACS 4.x
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide