Cisco ACS, multiple CA, assignment of VLAN relevant to the domain

Similar Questions

• Dynamic assignment of VLANS / SSID using the IAS 4402/MS

  Greetings,

  In short, we have a WLC4402 (50 AP license) and about 30 1252 s towers in place. At the moment we have three VLANS / SSID in place - one for admin, to teachers and students. The WLC uses a server for MS Windows 2003 running IAS for PEAP authentication. Windows XP, the SSID clients entered manually based on "prior designation" 'type' laptop (admin, teacher or student).

  It works very well. However more frequently our users were 'sharing' portable computers so a student can need to use his laptop computer and vice versa. In short, we would like to use the dynamic assignment of VLANS / SSID as well as if a student has the teacher, 'students' laptop VLAN / SSID would receive them when connect (and apply the appropriate ACL, QoS policies, etc.)

  We have found the documents on how to do that with a CBS, but is there something available for this configuration with a MS IAS server.

  All entry information would be greatly appreciated.

  Joe

  The installer works fine with the Server IAS Ms. You must set the options for RADIUS (3 of them) which are documented in the ACS similar article of the same ilk. You can have one SSID, using RADIUS authentication and have the Active Directory to determine the membership to a vlan based on the group.

  The RADIUS attribute parameters are

  Tunnel-Type = Vlan

  Tunnel-Pvt-Group-ID = vlanid

  Tunnel-Medium-Type = 802

  I also like to set

  Ignore-User-Dialin-Properties = True

  You must create some policies in IAS to match your windows groups and set the id vlan correct. A separate policy of IAS by vlan.

  Set the attributes RADIUS by political IAS and ad group or however you plan on the determination of the membership.

  If you want to use RADIUS for administration, you must also define a separate policy that defines the RADIUS of the Service Type administrative = attribute

  Jim

• Assignment of VLAN dynamic of the Web authentication

  In a firmware WLC 4402 v.5.2.157 is possible to assign users to one VLAN dynamic based on the RADIUS response received from ACS?

  Yes and no. You can do for a WLAN 802.1 x internal, that the customer does not get an IP address, until they have completed the authentication process. To do this, you use 64/65/81, 64 802, 65 VLAN and to 81 use the name of the interface, not the number VLAN. you will also need to make sure you have AAA Overrided activated under the WLAN.

  If, as is said for Web authentication, the answer is no. The client has an IP address before being validated by the AAA server.

  HTH,

  Steve

• Cisco ACS 5.2: How "service account" exempt from the life of password policy

  We have a GBA policy to disable the user account (user internal store name) after X days if the password is not changed.

  However, it creates challenges 'service accounts' servers NM. My goal is to exclude these password change service accounts. in other words, their passwords must not be updated.

  How to configure ACS to do this?

  THX

  Eric

  Hello

  I don't think it's an option.

  Dan

• Assignment of VLAN dynamic RADIUS ACS 5.2 Server with NAC

  We are trying to reduce the number of ssid in our network wireless with assignment of vlan dynamic with the acs. Our problem is that we use Cisco NAC so with assignments of vlan dynamic user will be checked by the NAC. Agent of Cisco sometimes pop up and do nothing to do or give a message cannot locate server. We even got an OOB error. Someone used a VLAN dynamics with the acs and the NAC successfully? The NAC is Out of Band

  Hello

  I supported oob nac and wireless and your efforts to make the dynamic assignment of VLANs will not work because of the way in which him vlan quarantine and access are mapped to this ssid.

  This work in in-band mode, however your design. This WLAN key needs to exist because the Manager sends the snmp trap to move the client from quarantine access.

  Just as a note, I'm sure you are aware is that ISE is the evolution of the acs and the NAC. Basically this your solution to reduce the skates and posturing of the customers.

  Sent by Cisco Support technique iPad App

• Assignment of VLANS by MAC address on a 6248

  Hello

  We have a mixture of 5548 and 6248 switch batteries, all updated to the latest fw, grouped on a 8024f.

  We add 560 Polycom phones to our network and want to assign phones to the voice VLAN and use the internal switch on the phone to the computer workstation.

  The 5548 have the handy table YES, the:

  VLAN voice Yes-table add 00907 Polycom/Veritel_phone___

  It works a treat and the assignment of VLANS for phone and PC works beautifully on the 5548.

  However, the 6248 legacy does not have this feature.

  Am I right assuming that we cannot assign addresses MAC Polycom-issued to one VLAN specific on switches 62XX as 55XX switches on? We are left with assigning simply labeled the voice VLAN? I'm afraid non-voix tag traffic for some applications will be treated badly as voice.

  What is the best way to do it? Here are the General config we will stop for the 6248:

  Configure
  database of VLAN
  VLAN 10 100

  interface vlan 10
  name "VoIP."
  output

  interface vlan 100
  name 'data network '.
  Routing
  IP 10.1.10.1 255.255.255.0
  output

  Example config for a switchport with Polycom and PC phone
  !
  interface ethernet 1/g1
  switchport mode general
  switchport General pvid 100
  No switchport acceptable-framework-type general tag only
  VLAN allowed switchport General add 100
  switchport general allowed vlan add 10 tag
  switchport vlan allowed General remove 1
  output
  !

  The 6248 uses a Broadcom firmware and the 5548 uses a Marvell firmware, that's why we see the differences in the characteristics. The 6248 has no YES table as the 5548. Here is the basic configuration of VLAN voice on the 6248.

  1.

  To start creating a VLAN voice, create it first VLAN database mode for VLAN.

  Console # console (config) # vlan database console(config-vlan) # vlan 2 console (config - vlan) #exit console (config) #.

  2.

  Then, globally enable the Vlan voice.

  Console (config) # vlan VoIP

  3.

  In the configuration of interface for the desired port mode, assign it VLAN to the port using general mode. Then, assign it VLAN voice on the port with the command vlan vlan id #.

  Console (config) # interface console item in gi1/0/10 # switchport general console mode # vlan 2 voice

  There is also this white page that goes over the process.

  www.Dell.com/.../pwcnt_voice_VLAN_support.pdf

  A workstation sends no marked traffic, and will be placed on the general mode port PVID. In this case, it seems that your PVID is VLAN 100, therefore all workstation traffic will go to this VLAN. I'm not aware of a situation where the traffic of the workstation would be confused with traffic voice and placed on the VLAN incorrect, you have a specific situation / application where you think this can happen? I can do some research on this scenario to help alleviate any concerns.

  Thank you

• With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices

  Hi all

  I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are

  Juniper M10i running Junos 9.2, M120

  M320 running Junos 8.5 Juniper

  Extremes of BD8810 and BD8806 running 12.4.1.17 XOS

  3804 Alpine extreme Extremeware 7.8.3.5 running

  My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you

  / John

  John,

  We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:

  set system login user uid of engineering 2000
  Set system login user engineering genius-class class
  set the connection user uid to NOC 2001 System
  Set system login user AC AC-class class

  define the system connection Engineering-class idle-timeout 15
  define a connection system class engineering-class permissions all
  define the system connection AC-class idle-timeout 15
  define the connection class AC system class view permissions
  Set connection AC-class permissions see the system configuration

  We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.

  Hope this helps.

  Derek

• Does Cisco ACS 1113 v4.2 device work with Windows 2008

  Hello

  I have a wireless currently in production infrastructure. All my Cisco LWAP is managed by Cisco WLC. Authentication is done via RADIUS through my device Cisco ACS 1113 running on version 4.2. The Cisco ACS 1113 device communicates with my Windows 2003 Active Directory. Everything is good now.

  Next month, we plan to update Active Directory from Windows 2003 to Windows 2008? Will be all fine and good, or will it be questions? Please advice kindly.

  I saw another post in this community that the States https://supportforums.cisco.com/thread/1003597?tstart=0. I am now confused. Help, please.

  Kind regards

  RAM

  + 60122918870

  ACS 4.2 does not work with Windows 2008R2.  I had a case of TAC open about this, and basically, they told me that I had to switch to 5.2 ACS.   I've been doing demonstrations there and it authenticates with Windows2008R2 very well.

• Cisco ACS 4.1 - user profile changes

  There is no option in Cisco ACS 4.1 Solution where we can specify the option that "user must change password on the next logon" as it used to be in Cisco ACS 3.X ".

  Is it possible same functionality can be enabled on Cisco ACS 4.1

  Concerning

  Sohail Sarwar

  Hello

  That option does not exist in ACS 4.x.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Cisco cisco ACS patch location site

  Hello

  I want to install cisco Acs 4.1 and I'm looking for the location on the Web site for patches can you please give the path?

  Thank you

  For ACS for windows:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  For ACS SE:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  Kind regards

  Prem

• Access to Motorola RF controller via Cisco ACS

  Hi all

  I want to be able to use authentication on our Motorola RF using Cisco ACS 5.2 controllers remotely. We have the responsible ASB and you can choose different user roles outside of "Super User".

  The reason is that the ID attribute for the role of 'Super user' is 32768 and but ID attribute within the ACS can take only 3 digits (see fig. 1 gasket)

  Anyone had any experience of this or know how to edit this field for more than 3 digits?

  Any help will be much appreciated.

  Thank you

  John

  I can see the issue you are referring to and does not seem to be a bug - dig when it exist and if is not open

  An entire book would not use an enumeration attribute Type but rather an unsigned integer

  Then you must enter the value directly in the authorization profile rather than selecting from a list

• [ACS 5.2.0.26] How to install the cumulative update?

  Hello

  I want to install the update rollup 9 for Cisco ACS 5.2.0.26

  I found the installation guide:

  http://www.Cisco.com/Web/software/282766937/37718/ACS-5-2-0-26-9-Readme.txt

  Instructions on how to install the patch =.

  1. open the CLI console

  2. set the new repository in which resides the 5-2-0-26 - 9.tar.gpg

  3. question: ' repository YOUR_REPOSITORY 5-2-0-26 - 9.tar.gpg acs patch install.

  We have configured 2 ACS devices in "Split ACS deployment"

  

  How to install the update rollup on 2 servers?

  If I install on the principal server, the secondary replica patch?

  Thanks for your help,

  Patrick

  Patrick,

  Patch must be installed on the two ACS CLI saprately. It cannot replicate.

  Kind regards

  ~ JG

  Note the useful messages

• 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

  Hi guys,.

  a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

  Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

  How could implement us this without a new hardware or software?

  Any ideas? Thanks for help.

  René

  You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

  http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

  I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

• Dynamic assignment of VLANS for MAB / ACS 5.5

  Hello

  Tried MAB works with ACS 5.5, and the looks part good ACS in the newspapers - the MAC address is sought, the authorization profile is correct. But on the switch, I get the following text:

  * 1 mar 00:12:53: AAA/AUTHENTIC/8021 X (00000004): choose method list "by default".

  * 1 mar 00:12:53: RADIUS/ENCODE (00000004): orig. component type = DOT1X

  * 1 mar 00:12:53: RADIUS: AAA Attr not supported: audit-session-id [607] 24

  * 1 mar 00:12:53: RADIUS: [0A8E0FDE00000002] 30 41 38 45 30 46 44 45 30 30 30 30 30 30 30 32

  * 1 mar 00:12:53: RADIUS: 30 30 30 38 30 [00080 41A]

  * 1 mar 00:12:53: RADIUS: AAA Attr not supported: interface [171] 20

  * 1 mar 00:12:53: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 65 74 31 [GigabitEthernet1] 6F

  * 1 mar 00:12:53: RADIUS: 2F 30 [/ 0]

  * 1 mar 00:12:53: RADIUS (00000004): Config NAS IP: 0.0.0.0

  * 1 mar 00:12:53: RADIUS / ENCODE (00000004): acct_session_id: 4

  * 1 mar 00:12:53: RADIUS (00000004): send

  * 1 mar 00:12:53: RADIUS/ENCODE: best local IP 10.142.15.222 for Radius server address - 10.54.248.55

  * 1 mar 00:12:53: RADIUS (00000004): send request to access the id 10.54.248.55:1645 1645/5, len 162

  * 1 mar 00:12:53: RADIUS: 5th authenticator FE 17 88 64 41 1 D 09-86 EA 51 BE 78 42 B6 EB

  * 1 mar 00:12:53: RADIUS: username [1] 14 "28924ad5a199".

  * 1 mar 00:12:53: RADIUS: User-Password [2] 18 *.

  * 1 mar 00:12:53: RADIUS: 6 Service-Type call control [6] [10]

  * 1 mar 00:12:53: RADIUS: Framed-MTU [12] 6 1500

  * 1 mar 00:12:53: RADIUS: Called-Station-Id [30] 19 "00-1A-A1-99-9F-82".

  * 1 mar 00:12:53: RADIUS: Calling-Station-Id [31] 19 "28-92-4A-D5-A1-99".

  * 1 mar 00:12:53: RADIUS: Message-Authenticato [80] 18

  * 1 mar 00:12:53: RADIUS: EE F5 B8 E1 70 37 A6 3A AD 89 20 A5 A7 D0 E3 B4 [p7:]

  * 1 mar 00:12:53: RADIUS: EAP-Key-Name [102] 2 *.

  * 1 mar 00:12:53: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

  * 1 mar 00:12:53: RADIUS: NAS-Port [5] 6 50102

  * 1 mar 00:12:53: RADIUS: NAS-Port-Id [87] 22 'GigabitEthernet1/0/2 '.

  * 1 mar 00:12:53: RADIUS: NAS-IP-Address [4] 6 10.142.15.222

  * 1 mar 00:12:53: RADIUS (00000004): started 5 sec timeout

  * 1 mar 00:12:53: RADIUS: receipt id 1645/5 10.54.248.55:1645, Access-Accept, len 106

  * 1 mar 00:12:53: RADIUS: authenticator 26 B4 B9 AB 3 04 68 DA - 38 AF F6 CD 36 95 73 2 b

  * 1 mar 00:12:53: RADIUS: username [1] 19 "28-92-4A-D5-A1-99".

  * 1 mar 00:12:53: RADIUS: [25] of class 31

  * 1 mar 00:12:53: RADIUS: 43 41 43 53 3 a 41 30 31 44 52 46 4 30 30 32 2F [CACS:A01DRFN002 /]

  * 1 mar 00:12:53: RADIUS: 32 33 31 35 38 38 36 30 31 31 37 38 2F [231588601/178]

  * 1 mar 00:12:53: RADIUS: Tunnel-Type [64] 01: VLAN 6 [13]

  * 1 mar 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

  * 1 mar 00:12:53: RADIUS: Message-Authenticato [80] 18

  * 1 mar 00:12:53: RADIUS: 91 22 50 8 62 C2 F0 10 C6 OF 70 84 AF 31 6 CD [Pbp1l ""]

  * 1 mar 00:12:53: RADIUS: mount-Auth-Type [81] 6 20003120

  * 1 mar 00:12:53: RADIUS (00000004): receipt of id 1645/5

  * 1 mar 00:12:53: RADIUS: unsupported value 20003120 to the 81 attribute

  * 1 mar 00:12:53: RADIUS/DECODE: Ascend auth type; IN CASE OF FAILURE

  * 1 mar 00:12:53: RADIUS/DECODE: decoder; IN CASE OF FAILURE

  * 1 mar 00:12:53: RADIUS/DECODE: Ascend-Auth-Type attribute; IN CASE OF FAILURE

  * 1 mar 00:12:53: RADIUS/DECODE: analysis response op decode; IN CASE OF FAILURE

  * 1 mar 00:12:53: RADIUS/DECODE: analyze the answer; IN CASE OF FAILURE

  * 1 mar 00:12:53: % MAB-5-FAIL: failure of authentication for the client (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

  * 1 mar 00:12:53: % AUTHMGR-7-RESULT: result of the "dead server" authentication "MAB" for the client (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

  * 1 mar 00:12:53: % AUTHMGR-5-FAIL: failed authorization for customer (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

  It recognizes the attributes 64 and 65, but the Tunnel-private-group-id, which contains the actual number of VLAN is not supported. How can I assign the vlan OK if this attribute is not taken in charge? Does not work with a string corresponding to the name VLAN on the switch either.

  The version is 12.2.55SE10 3750G.

  Hello

  Since him debugs if I see that you are missing an attribute to make the assignment of VLANs, in your test it just to send the following items:

  * 1 mar 00:12:53: RADIUS: Tunnel-Type [64] 01: VLAN 6 [13]

  * 1 mar 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

  But it would be appropriate to send:

  • Tunnel-Type = 64 = VLAN

  • Tunnel-Medium-Type = 802

  • Tunnel-private-Group-ID = 253

  When the "Tunnel-private-Group-ID" is the number/name of vlan to be awarded, the bellows is an example on what it would look like on the profile of the ACS:

  http://www.Cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wirel...

  Note: Please mark as answer as appropriate

• That treats the assignment do VLAN authorization Cisco ISE?

  Hello

  When I create an authorization policy in Cisco ISE, under common tasks, it is the assignment of VLANS. What makes that? Is it puts the user on this VLAN?

  Thank you.

  Yes, this will overwrite the VLAN configured on the switch port/SSID or wireless. For example, all ports can be configured to be part of VLAN 10, but you want users to finances in VLAN 20. You can use the profile of EHT permission to do exactly this.

  Thank you for evaluating useful messages!