Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1082
Views
0
Helpful
5
Replies

Dot1x -> WLC -> ACS -> Windows profiling

ledzepp817
Level 1
Level 1

‎01-16-2014 11:27 AM - edited ‎07-04-2021 11:59 PM

Hello,

Does anyone have any experience with the following setup:

We want users to authenticate thru Dot1x with their Windows credentials.  The RADIUS server for dot1x will be ACS that uses Windows DC for authentication.  Then we would like for the ACS to grab a role based on DC OU, group, etc and send that back to the WLC for profiling?

Sounds crazy I know but I think it can be done with an ISE server but we don't want to buy that if we don't have to. Can this be possible with just ACS?

Thanks!

Labels:
0 Helpful
5 Replies 5

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎01-16-2014 11:36 AM

When you say "grab a role" are you looking to use that role to push down an attribute?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

ledzepp817
Level 1
Level 1
In response to Stephen Rodriguez

‎01-16-2014 11:53 AM

Sorry if I am being confusing but here's what I'd like to do:

If someone from an ITAdmin group on Win DC signs onto wireless, I'd like that to be passed to ACS and then passed to WLC for profiling and be assigned to certain VLAN/subnet.

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to ledzepp817

‎01-16-2014 12:11 PM

ok, we can do something with that, easily enough.

on your ACS you need to build a group for IT, in it's AAA attributes you want to return 64/65/81 VLAN/802/< vlan ID>

rinse repeat for the other groups.

On the WLC, you need to create the VLAN interfaces, and set the WLAN to have AAA override enabled.

Now when a user gets authenticated, the ACS will pass back the attributes to assign the user to the appropriate VLAN.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#Rserver1

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

ledzepp817
Level 1
Level 1
In response to Stephen Rodriguez

‎01-16-2014 01:43 PM

Thank you so much for your reply.

So you would have to create all of the groups on the ACS itself?  It couldn't pull some attributes from the DC/LDAP server and classify that way?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ledzepp817

‎01-16-2014 07:22 PM

You don't have to create any group on ACS... You create policies that define if user is part of group X, here is its vlan, etc.  It's the polices that the Radius will send back to the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card