cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1620
Views
0
Helpful
7
Replies

Cisco ACS 5.3 Newbie

cisco-cit
Level 1
Level 1

Hi Guys,

I am looking at setting up a Cisco ACS 5.3 for MAC address based VLANs on a 2960 switch.

as anyone done this before? Basiacally what I want is

1. Have a list of devices specified in the ACS with their MAC address

2. Connect the swicth to the ACS

3. When a device is plugged in, the swicth should check with the ACS onto whcih VLAN the host should be on,

Thanks.

1 Accepted Solution

Accepted Solutions

In ACS you should configure to authenticate using "Internal Hosts" (which is the mac address database) and to authorize by using "authentication profiles" (this is where you configure what VLAN to use)

If you are starting I will recommend you to test only authentication. Then if everything is all right you can add the authorization.

ON the switch side you will need to configure something like this

      

aaa new-model


radius-server host x.x.x.x key PASSWORD
radius-server vsa send authentication

aaa group server radius ACS
server x.x.x.x
!
!
aaa authentication dot1x default group ACS
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS

interface GigabitEthernetX/X
  mab
  authentication order mab
  authentication port-control auto
  dot1x pae authenticator


Please rate if it helps

View solution in original post

7 Replies 7

Eduardo Aliaga
Level 4
Level 4

I guess that step 2 should say "connect the host to the switch".

Please could you be more specific on what you're trying to achieve ?

Hi,

Effectively what I want is to have a list of known device(laptops/desktops) mac addresses stored on the ACS.

When a device is connected to a switch it should talk to the ACS and check if the mac address is known. The ACS should also tell the switch which VLAN to put it into.

Does this make sense?

I am not sure how to make the switch talk to ACS when a device is plugged into a port.

In ACS you should configure to authenticate using "Internal Hosts" (which is the mac address database) and to authorize by using "authentication profiles" (this is where you configure what VLAN to use)

If you are starting I will recommend you to test only authentication. Then if everything is all right you can add the authorization.

ON the switch side you will need to configure something like this

      

aaa new-model


radius-server host x.x.x.x key PASSWORD
radius-server vsa send authentication

aaa group server radius ACS
server x.x.x.x
!
!
aaa authentication dot1x default group ACS
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS

interface GigabitEthernetX/X
  mab
  authentication order mab
  authentication port-control auto
  dot1x pae authenticator


Please rate if it helps

Thanks,

I cant see what youhave posted about the switch though.

Ok got it working to a certain extent.

I have internal hosts and I have managed to get them to get network access with an Authorization Profile which gives them access and puts them in a VLAN

Next question is how can I get different host groups to use different Authorization profiles?

Ok got it working to a certain extent.

I  have internal hosts and I have managed to get them to get network  access with an Authorization Profile which gives them access and puts  them in a VLAN

Next question is how can I get different host groups to use different Authorization profiles?

cisco-cit
Level 1
Level 1

Thanks Mate,

Looking at the switch I dont apper to have the mab command in interfaces..

It comes up on some other switches though.

I have also not been able to see where to link " authentication profiles" to "hosts"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: