Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
3
Replies

Question regarding Authorization Profile with dynamic vlan (ACS5.2)

a.hed
Level 1
Level 1

‎12-06-2010 07:37 AM - edited ‎03-10-2019 05:38 PM

Hi all,

I’m trying to replace an existing VMPS installation with MAB on ACS 5.2. To keep it simple I just want Use Internal Identity Stores à Host

I have a lab environment that is working, but not in the way I want…. The risk of typo it to large....

I have create a Attribute under  System Administration ->Internal Host I call it VLAN Name confg as a “String” attribute

In Policy Elements I have create a Authorization Profile name Dynamic VLAN via String With Common Task “VLAN”  “Dynamc”  “Internal Hosts” and select the attribute I created "VLAN Name".

Now its possible to add Host and typ the mac address and typ the VLAN name in the “String field” . In the switch I can see the attribut in Tunnel-Private-Group and the switch assign the right VLAN.

Noq I want to create users in the ACS that only have access to create new hosts.. The problem is that these pc administrators need to type the correct VLAN name (the exact name!)… I do not think this going to work smoothly, the risk of typos is too large. The network has about 50 different VLANs with no name standard what so ever.

Is there a way to configure attribute with Enumeration value …

I have tried to configure under System Administration ->Internal Host creat a Attribute with Enumeration.. It looks nice when creating hosts since you select the VLAN/attribute from new popup window (no risk for typos)….  but this I cannot select under Authorization profile – common task --Vlan VLAN.

Is there a way to do what I want?

Another way to address the problem I guess is to create one Identity group and authorization policy with static vlan for each VLAN.  Then pc administrators select groups instead of typing VLAN. But it will be a lot more configuration.

///a.hed

Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎12-07-2010 01:17 AM

Hi,

you can in your authorization profile define custom radius attributes that you send back. There you can simply configure the vlan attribute and select your enumeration. But I'm afraid that this could actually return a number (1,2,3,4,5 ...) and not a string to the switches.

The simplest to me would be really the group way honestly.

Nicolas

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee

‎12-07-2010 06:42 AM

It normally work with the vlan name, but to avoid mispelling you can use the vlan ID as well.

You can then create an authorization profile, and as nico said put the right vlan ID in the radius attribute (use predifined radius vlan id, choose static and set the right vlan ID, it will automatically set hte tunnel group/media attributes).

In your access-policies, you can match an internal group and result to your authorization profile, so basically create an internal group, add user to this group, and create an access-policy that match this group and apply an authorization profile with the vlan you want.

0 Helpful

a.hed
Level 1
Level 1

‎12-08-2010 11:38 PM

THX for your answers,

I have twist and turn this problem and I see no way around it. It seems like it going to be a lot of configuration in ACS but it is only for one time. It better to do that job with the installation rather than troubleshoot every time the PC administrators type the wrong vlan name.

As Bastien wrote in his answer:

"so basically create an internal group, add user to this group, and create an access-policy that match this group and apply an authorization profile with the vlan you want"

Thx again for your input.

///A.hed

0 Helpful
Customers Also Viewed These Support Documents