09-22-2009 12:56 AM - edited 07-03-2021 06:04 PM
I've got some problems with NAR's in ACS 4.2
I have got two AD groups: 1=Wired Users, 2=Wireless Users
Wired USers = ACS group 10, Wireless Users = ACS group 20.
I want to put wired users via 802.1x in VLAN 10 on the access switches.
I want to put wireless users via 802.1x in VLAN 20 on WLC's.
A laptop is member of both AD groups (can work wired and wireless)
Problem is that user is altways authenticated in ACS group 10, because that's the first match. With AAA override, the user will always be placed in VLAN 10.
I tried to make a NAR (ip based, also tried CLI/DNIS) that permits only ip address of switches to access ACS group 10 for wired users and a NAR to permit only access from WLC and specific SSID to access ACS group 20.
When latop is wired, everything is ok, authentication is in ACS group 10, VLAN 10.
When laptop is wireless, it goes wrong. Authentication is still in ACS group 10, but fails because of NAR.
I would like the ACS to skip ACS group 10 by NAR, but continue authentication in Group 20 to correctly assign VLAN information.
How can this be achieved ?
Solved! Go to Solution.
09-22-2009 06:25 AM
Hi Luke,
In this case you need to set up NAP "Network Access Profile". Here you will define that if requests comes from WLC, it should be mapped to wireless user group and if it comes from wired it should go to wired group.
Check this link,
You need to Add profile, in the filter option choose you NAS IP address (WLC).
Then you need to set up a RAC in shared profile components, using IETF attribute no.81 (vlan number).
Finally in nAP you need to set up Authorization , choose group and map it to the RAC.
Regards,
~JG
Do rate helpful posts
09-22-2009 06:25 AM
Hi Luke,
In this case you need to set up NAP "Network Access Profile". Here you will define that if requests comes from WLC, it should be mapped to wireless user group and if it comes from wired it should go to wired group.
Check this link,
You need to Add profile, in the filter option choose you NAS IP address (WLC).
Then you need to set up a RAC in shared profile components, using IETF attribute no.81 (vlan number).
Finally in nAP you need to set up Authorization , choose group and map it to the RAC.
Regards,
~JG
Do rate helpful posts
09-22-2009 06:46 AM
JG
At first, thank you for your reply. I don't understand it actually what you are writing.
In my situation there are 4 AD groups:
- 1: Wired-Users (ACS Group 20)
- 2: Wireless-Users1 (ACS Group 128)
- 3: Wireless-Users2 (ACS Group 130)
- 4: Wireless-Users3 (ACS Group 132)
All 1200 laptops are in AD Group 1
400 laptops are in AD Group 2
400 laptops are in AD Group 3
400 laptops are in AD Group 4
When connecting my laptop to the wired network, the laptop will be authenticated by ACS Group 20. ACS assigns a VLAN Id of 20. That is ok.
When connecting my laptop to the wireless network, the laptop will still be authenticated in ACS group 20. ACS wants to send VLAN ID 20 to WLC. WLC does'n know VLAN ID 20 and puts all the wireless clients in VLAN 128 (the dynamic interface linked to WLAN). What i want is that the wireless attempts are done by Group 128, 130 or 132. Not by Group 20. I tried to use NAR's, but without success.
Maybe you can give me some good advice ?
Thanx a lot !
09-22-2009 07:22 AM
NAR will not help in this case. We need to set up NAP.
Did you check that link in my last post? Would it be possible of you to open a TAC case?
That way it would be easier for us to guide you through the configuration.
Regards,
~JG
Do rate helpful posts
09-23-2009 01:20 AM
JG
Thanx a lot for the reply. I did read the document this morning. Things became clear to me. Did some experimentation and some test and Voila ! Problem solved !
Thanx again..
Regards
Remco
09-24-2009 03:40 AM
JG
I also have a problem with MAB and NAP. Did a new post. Do you have an answer for this too ??
Thanx a lot !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide