Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
5
Helpful
5
Replies

ACS 5.2

NAVIN PARWAL
Level 2
Level 2

‎03-08-2012 08:39 PM - edited ‎07-03-2021 09:45 PM

Folks,

          I am new to ACS5.2, I am setting up a wirless network and want to write a policy where desktops will go in a specific vlan and laptops would go in a specific vlan. I am reading documentation on ACS 5.2 and it does talk about device type. Any anyone point me in the right direction, how to use this attribute to authenticate based on device type (desktop or laptop).

Thanks,

Parwal

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎03-08-2012 09:42 PM

Well this will be pretty hard to explain:)

First off you will need to do 802.1x on both your wired and wireless (I'm going to assume you know how to do this).  Then I would define your NDG (network device groups) which state switches, routers, wireless.  This will help in defining your polices under Access Polices | Default Network | Access.  To specify the vlan you want place the device on, you would configure Authorization Profiles.  This is located in the Policy Elements | Authorization Profiles | Network Access.  You will need to create a new Authorization Profile, enter a name and description, click on Common Task and define your VLAN as Static and enter the vlan under the value

Then in your Access Policy, you would add your Policy Element you just created.  I also specified what devices this policy should be applied to (NDG)  See below:

That is it in a nutshell:)

-Scott
*** Please rate helpful posts ***

NAVIN PARWAL
Level 2
Level 2
In response to Scott Fella

‎03-09-2012 06:50 AM

Anyway I can distinguish between laptops and PDA's on ACS 5.2?

Your example only includes controllers which are added on the ACS server.

If I want to distinguish between Laptops and PDA's and send different vlans to them, how would i do that as they are only clients?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to NAVIN PARWAL

‎03-09-2012 06:59 AM

You would need ISE for that. With ACS you can differentiate between a wired and wireless. Now for a laptop on your domain, you can use machine authentication and the policy would point to AD computer group. The PDA's would authenticate using peap and that is one way of forcing a vlan change.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Scott Fella

‎03-11-2012 10:23 AM

Scott, plus 5+...

I didnt realize you were a master at 5.2 .. I may need to hit you up on some questions!

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to George Stefanick

‎03-11-2012 10:26 AM

Haha. No problem George. Anytime... I lab a lot of stuff for my company so I get to see what works and doesn't.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card