cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

405
Views
0
Helpful
0
Replies
Highlighted
Beginner

dot1x with ODAP & RADIUS

Hi folks, it's been a while

I'm trying to setup enterprise network with windows AD working as DC, lot of cisco switches (3550, 3750, 4900 and so on) and routers as well.

What I need to do, is to make, somehow, the live of our IT admins easier. I'm planing to implement dot1x (no, this is not the way of making their live better , yet u know that the road to hell is paved with good intentions ) but I also want to use Microsoft's AD as place where the Users IP address is kept. I set cisco SecureACS to work as Radius server and started to play with dot1x features. Everything work as expected, but I'm looking for a way to provide the DHCP server with information, which is written within the Domain Controler, for each user. For instance, I have user "johnd1" who is member of group "finance". What I did is to separete all devisions/departments in separate vlan. As soon as user johnd1 is logged in, he got served by his vlanId (the SecureACS is reading the windows DC information and groups of ACS and windows DC are mapped 1:1. The group finance is applied for specific dot1x settings (about dot1q tag) and dhcp relay option is used as well. As I said - everything works, the user receives the proper VLANID, once he got it - it's start looking for a DHCP server - then the DHCP relay take his DHCP-Request and thanks to giaddr option it receives an IPv4 address from specific IP pool (previously configured on DHCP server). I want to use the field of MS DC that is intended for VPN address (and it's able to provide the user with a static route also by using FRAMED-ROUTE radius attrib). Does anyone of you guys know if that is possible? I find out this ODAP feature, which has primary been invented for MPLS vpns , yet it supports non-MPLS scenario also. Is there a way to use this information for providing the user with THIS exactly ip address (writen within His properties on Domain Controler) by DHCP? Or if the answer is NO - is it somehow possible for DHCP server to read the information from RADIUS database?

I forgot to tell you that I'm talking about WIRED dot1x users, not a WiFi (since there is an option to preserve the users IP address/to associate user & IP)

Thanks in advance!

CreatePlease to create content
Content for Community-Ad