A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment. For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port. If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access). What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
Please confirm, and as always, reference links/docs are appreciated.
