Showing results for 
Search instead for 
Did you mean: 

ACS 4.2 MAC authentication and dynamic vlan assignment


Is this possible to do with ACS 4.2? Is there a suitable document on this? There is no access to NAC.



4 Replies 4

ali aqrabawi

yes it's very so much quite possible ,


++see below Doc :


read "Configure Radius Authorization Components"


these are the three attributes need to be configured for vlan ID override :

•Tunnel-Type (attribute 64)—Specifies the type of tunnel that is set up for the user to connect. In the sample RACs, this value is set to type 10, VLAN, which indicates that the user is granted access to a VLAN that is configured on the switch.

•Tunnel-Medium-Type (attribute 65)—Indicates which protocol to use over the tunnel. In the sample RACs, this is set to type 6, which specifies an 802 protocol. In the NAC/NAP environment, this is the 802.1x protocol.

•Tunnel-Private-Group-ID (attribute 81)—Indicates the group ID for the VLAN tunnel. In the sample RAC, this is set to Quarantine, which denotes a quarantine VLAN to which devices are assigned. In actual practice, you should set this value to a value that is configured on the switch.


+++on the WLC enable MAC filtering and aaa override on the WLAN,


++add the MAC address on the radius server as username and password , 

Cisco Employee
Cisco Employee

Please refer to the below link :

Cisco Employee
Cisco Employee

Many hosts that ACS authenticates run agent software that requests access to network resources and receives authorization from ACS. However, some hosts do not run agent software. For example:

Many 802.1x port security deployments authenticate hosts that do not have appropriate security agent software, such as Cisco Trust Agent.

When an agentless host is connected to a Layer 2 device and an Extensible Authentication Protocol over User Datagram Protocol timeout (EoU timeout) occurs, in-band posture validation cannot occur.

ACS solves this problem by using the MAC address of the host device to identify and authenticate the host. This technique is called MAC authentication bypass (MAB).

Prakash Parvathala

 Configure ACS for Dynamic VLAN Assignment

Dynamic VLAN assignment is one feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco Secure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.

Please refer the below link for the complete configuration guide .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers