02-13-2012 11:02 AM - edited 03-10-2019 06:49 PM
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
Regards,
Juan Carlos Arias
Solved! Go to Solution.
02-13-2012 11:09 AM
Hello,
Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?
Regards.
02-13-2012 11:09 AM
Hello,
Would this be for External Database Users like AD or LDAP? Or would it be for ACS Internal Accounts?
Regards.
02-13-2012 11:11 AM
Hello Carlos,
Would be for AD.
Regards,
Juan Carlos Arias
02-13-2012 11:24 AM
Juan Carlos,
On ACS 5.x we can get the scenario working but we need to define the Static IP Address users on the Internal ACS database as well. I have not managed to configured it on a different way.
I have handled one or two cases with this request and we always get it working as described on the attached document.
NOTE: The document refers to a RADIUS Identity Server (ACS 4.x). You can refer on your ACS to AD1 instead.
If this was helpful please rate.
Regards.
02-13-2012 12:49 PM
Hi Carlos,
I follow all steps from your file, but the IP address I wish to be assign it (192.168.240.29), is not, it's getting an IP address from DHCP pool (192.168.240.26).
Any idea where can I check this issue??
This is a log from Radius Authentication:
User-Name=MONARCH\juancarlos.arias |
I appreciate your time.
Regards,
Juan Carlos Arias
02-13-2012 12:57 PM
Juan Carlos,
I am assuming this is for 802.1x wired. In that case, is the switch configured "aaa authorization network" command?
Regards.
02-13-2012 02:31 PM
Hi Carlos, yes, that line is configured, this is my IOS device configuration:
aaa group server radius RADIUS-Auth
server name RADIUS-8021x
!
aaa authentication enable default group RADIUS-Auth
aaa authentication dot1x default group RADIUS-Auth
aaa authorization config-commands
aaa authorization network default group RADIUS-Auth
aaa authorization auth-proxy default group RADIUS-Auth
aaa accounting send stop-record authentication failure
aaa accounting update newinfo
aaa accounting dot1x default start-stop group RADIUS-Auth
aaa accounting system default start-stop group RADIUS-Auth
!
radius server RADIUS-8021x
address ipv4 192.168.240.174 auth-port 1645 acct-port 1646
key 7 0822434008090004110A
!
02-13-2012 02:39 PM
Juan Carlos,
Performing a deeper research I found the answer
"The IEEE 802.1x standard does not provide a mechanism for IP address assignment. Therefore, configuration of the Framed-IP-Address and Framed-IP-Netmask attributes as Reply-Items in a user’s profile will have no effect. Either a DHCP server should be used, or the station should be configured with a static IP address."
The Framed-IP-Address attribute works for VPN Connections but not for 802.1x.
I hope this clarifies it.
Regards.
02-13-2012 02:51 PM
Bad news Carlos
Thanks for your complete explanation and your time.
One last question, I remember that I could do this with ACS v4.2, not sure but I don't want to waste time configuring a lab with this ACS version, is this true??
Regards,
Juan Carlos Arias
02-13-2012 03:20 PM
Hello Juan Carlos,
ACS 4.x had the option to configure a Static IP address under the User Setup:
However, I do not remember from the top of my head if the ACS 4.x included that value under the Framed-IP Address as well which should not work on 802.1x either.
Please, mark the RFC response as correct if you feel it clarified your concern.
Regards.
02-13-2012 03:40 PM
Ok Carlos, thanks for your answers, I already vote at the beginning for your comments.
Regards,
Juan Carlos Arias
06-27-2014 08:24 AM
hi ,
how can i specifiethe subnet mask that i want to apply to the ip address assigned.
becuase the acs apply the default mask(the mask of the class of ip ,ex: if we give a user 10.8.8.9 as address the acs apply te mask 255..0.0.0 to it)
how can i specifie that should apply /24 mask
02-13-2012 02:41 PM
Juan Carlos,
You can find the same information on the RF for 802.1x:
http://www.rfc-editor.org/rfc/rfc3580.txt
3.7. Framed-IP-Address, Framed-IP-Netmask IEEE 802.1X does not provide a mechanism for IP address assignment. Therefore the Framed-IP-Address and Framed-IP-Netmask attributes can only be used by IEEE 802.1X Authenticators that support IP address assignment mechanisms. Typically this capability is supported by layer 3 devices.
If this was helpful please rate.
Regards.
02-13-2012 11:18 AM
Sorry, select wrong option, I select answer correct. Do I have to re-open?
02-13-2012 11:25 AM
Juan Carlos,
Do not worry. Refer to the answer above
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: