Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
3
Replies

ACS to assign vlans and MAC address from AD database

sidcracker
Level 1
Level 1

‎03-10-2011 07:34 PM - edited ‎03-10-2019 05:54 PM

Hello,

Is it possible for the MAC details to be populated in the Active Directory database. We are integrating AD into ACS 5.2. So that plan is whenever a client connects to the switch, the ACS server will authenticate the MAC details from the AD container and also assign the vlan for the user based on the user or MAC address.

Is this something that can be done? Any documents on this scenario? I am quite familiar with integrating AD into ACS and device management. But not too sure about MAB and assigning vlans to users.

Any help will be appreciated

Thanks

Shyam

Labels:
0 Helpful
3 Replies 3

mansrini
Cisco Employee
Cisco Employee

‎03-15-2011 05:35 PM

Shyam,

It is not typical to populate mac addresses on the AD.. You can populate the MAC address's in ACS database under 'internal hosts' section. You could then create an ID sequence by making the ACS check for MAC address first and then let it go to AD if it is user auth. Tie this identity sequence to the access policy. For the ACS to assign vlans, create an authorization profile under 'authorization --> network access' , goto 'common tasks' and chose VLAN ID and set it to static and give it the VLAN id. Once you create this, tie this profile under the access policy authorization criteria you create for 802.1x users. Hope this helps.

Thanks,

Mani

0 Helpful

sidcracker
Level 1
Level 1
In response to mansrini

‎03-15-2011 06:01 PM

Thanks Mansrini,

This really helps. I have heard of people populating the Mac addresses on ldap.

If the customer has AD then would they have to configure a new ldap for this to make this feature work?

Thanks

Shyam

Sent from my iPhone

0 Helpful

mansrini
Cisco Employee
Cisco Employee
In response to sidcracker

‎03-15-2011 06:11 PM

Shyam,

Firstly MAB is a feature designed to authenticate resources such as IP phones, printers etc because lot of them dont support typical auth mechanisms.

If your intention is to make sure the user and also the computer he is coming from is part of the domain, you should consider doing a machine authentication ( auth based on the computer name that will be in the 'domain computers' store in AD ) and combine that with a feature called MAR ( Machine access restriction ) on ACS which maps machine auth to user auth and makes sure the user is indeed logging into the computer that belongs to your domain. But when it comes to MAB and if you want to populate them on LDAP or AD, I am not really sure and I haven't seen anybody do that so far.

Thanks,

Mani

0 Helpful
Customers Also Viewed These Support Documents