Cisco AAA/Identity/Nac :: ACS 5.2 Assign VLAN Based On AD Group?
Apr 18, 2011
I'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
and selected the group name from the AD. If I understand correctly, I should now see this group under:
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
However, it does not. Am I missing something?
View 2 Replies
ADVERTISEMENT
Apr 30, 2012
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
View 7 Replies
View Related
Apr 15, 2013
I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
AD.com Group : Corporate's User : 1. C_USER1
2. C_USER2
3. C_USER3
4. C_USER4
5. C_USER5
[code]....
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.
View 2 Replies
View Related
Aug 26, 2009
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
View 3 Replies
View Related
May 1, 2012
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies
View Related
Oct 10, 2012
I'm currently using a LMS 4.2.x System and an ACS 5.3 System.
I solved the problem to authenticate the LMS WebGUI login to the ACS Server. But, I can't not find any document, which descripes how I can assing the group roles via ACS.
View 1 Replies
View Related
May 14, 2012
Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?
View 1 Replies
View Related
Sep 7, 2011
having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?
View 1 Replies
View Related
Mar 8, 2013
i've configured 4 connection profiles (IT,HR,Admon,VIP) on the asa everything works well, but our boss wants to know if it's possible to assign the right connection profile without using group drop-down list, what he wants is to use a unique connection profile (non-default) and via radius attributes using ACS 5.X to assing the right profile.
View 6 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Jan 6, 2011
My customer requires the hostport on an access switch to be allocated to a specific Vlan based upon the AD Group that the user is a memeber of ? I am planning to setup NAC in a Real Gateway OOB deployment, using an ACS 5.2. I was initially thinking that the initial authentication server would be the ACS and then the AD, which using group mappings within the AD, I could then assign the user to a specific ACS group and then pass a Radius attribute back to the NAC manager for processing?
View 2 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
Jun 16, 2012
I know that a default gateway is used to log in remotely, but what is the purpose of the IP address on a VLAN?
View 3 Replies
View Related
Sep 3, 2012
How do you assign each customer to a vlan ? and what kit do you use at the core to roll out VLANS to each pop? We are thinking of using Juniper kit - putting customers on there own VLAN, and having a managed service like TR-069 on those VLANS.Is it do-able and what does everyone use for a TR-069 server - I've been looking on the net and havent had much joy in finding a server - or is it not as easy as I understand it to be.
View 4 Replies
View Related
Jan 12, 2012
I'm looking into a way of routing users internet connection based on their username or group in a windows environment. Currently there's two ISP connections with their own proxy server. I want a user to be fully redirected to one of the ISPs based on who they are. I was hoping via IE proxy settings, this can be accomplished, but it looks like the primary ISP connection, is still getting most of the connections/routing.
View 1 Replies
View Related
Apr 27, 2012
Stumped again with my Catalyst 2950. Everything is working perfectly with wan/dhcp/router on fa 0/1 with all ports assigned to vlan1. All devices plugged in connect to the router correctly with ip's being assigned via dhcp.Instead of hooking up by console port I want to be able to SSH or telnet in to the switch using any port while still maintaining the above functionallity. Is it possible to assign a dhcp assigned ip address to vlan 2 and have vlan1 and 2 bridged? Or is there a better way of doing this ?
View 3 Replies
View Related
Oct 26, 2012
I have ASA 5505 with base license. I created 3rd vlan on it.it was created. but i am unable to assign IP to it. i assign ip address it takes it. But when i do sh int ip brief it does not show any ip.
Code...
View 7 Replies
View Related
Dec 13, 2011
I am trying to assign static ip address on vlan 1 interface , the model no of switch is SG300 & the firmware version is 1.1.2.0 .But whenever I type the IP address & press enter , a question is popped up asking for confirmation (switch0d851f(config-if)#ip address 1.1.1.1 255.0.0.0.
Please ensure that the port through which the device is managed has the proper settings and is a member of the new management interface.Would you like to apply this new configuration? (Y/N)[N] N )
View 3 Replies
View Related
Apr 12, 2013
Actually i have 7600 router and all trafic passes through Gi0/1(Routed port) interface to 6500 series switch. I need to create a vlan on this router eg. vlan 10 Any how it is possible assign a vlan to routed port and traffic of wan interfaces and the vlan traffic passed together.
View 2 Replies
View Related
Dec 17, 2012
Is it possible to assign 2 ports to a vlan on this switch and have the 2 machines connected to those ports be able to see each other without having to go off of the switch? If so, how would it need to be setup on the switch?
View 4 Replies
View Related
Apr 7, 2012
i'm using an rv220W and i whant to know if is it possible to assign vpn traffic to a vlan when i setup an ipsec tunnel?
example:
Im using different vlans on my rv220W.
Vlan 10: engineers (ex: 192.168.1.0/27) no intervlan routing
Vlan20: sales (ex: 10.0.123.0/24) no intervlan routing
This is what i need: - An engineer is on the road and when he makes a ipsec vpn connection => assignd to the vlan "engineers" so he can access the server/pc's in that vlan.and when someone from the sales group starts a vpn connection he needs to be in the vlan "sales" so he can access his pc/data,...
View 15 Replies
View Related
Feb 21, 2012
cant assign cisco switch 3560G port g0/1to access vlan 10
main-switch(config-if)#switchport access vlan 10 Command rejected: Gi0/1 not a switching port.
View 5 Replies
View Related
Dec 8, 2011
I imagine I can use the framed-ip-address attribute to assign ip-addresses but there seem to be support for static ip addresses only?A bit of a drag when we're talking 200+ nodes.
View 1 Replies
View Related
May 9, 2012
I have a VPN network (in ASA 5520) with two VLAN (999 and 997) and two remote clients (User1 and User2). The VPN connection with both users is correctly connected but I can't make a ping to another computer of the same VPN network, when the VPN network is connected. For eg: When User1 is connected, has the IP: 172.16.1.230, but can't make ping to another connected PC (IP:172.16.1.236). [code]
View 3 Replies
View Related
Apr 4, 2010
Is there any way (in ACS 5.1) to assign personal access list to each user instead of assigning it to Authorization profile and Authorization profile to user?
View 5 Replies
View Related
Aug 8, 2011
My company requires each user dial-in must be a fixed IP; The old acs4 can,but I cannot find the same configration item in the ACS5.2
View 2 Replies
View Related
May 22, 2012
i have fwsm in cat6500, i have one firewall vlan group which is in firewall module 1 vlan group 10. I need tocreate another vlan group and add to firewall module 1 vlan group 10, 20. i need to have zero downtime.
View 2 Replies
View Related
Feb 14, 2011
I have a network setup as live-ssid. It is using the Interface for VLAN 14. All APs under the default-group AP Group obviously allows clients to DHCP an address from VLAN 14. This is working fine.
I created a new AP Group called 3rd Floor. This has the live-ssid setup, but instead of using the Interface for VLAN 14 it is setup for the Interface for VLAN 50. I have all the APs on this floor moved to the 3rd Floor AP Group.
The problem is that 95% of the clients on 3rd Floor are still picking up DHCP addresses from VLAN 14. I checked and all the clients are connected to the APs on the 3rd Floor. Only 4 Clients are getting an address from VLAN 50.
I'm not sure if something is configured wrong or not since some devices pick up the new VLAN and the rest don't. I've manually reboot the APs on the 3rd floor to see if that would fix it.
View 2 Replies
View Related
Oct 12, 2011
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
[code]....
View 1 Replies
View Related
Feb 12, 2012
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies
View Related
May 4, 2011
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF class class-default set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1 service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes AAA ATTRIBUTE LIST: Type=1 Name=disc-cause-ext Format=Enum Type=2 Name=Acct-Status-Type Format=Enum
[Code]......
View 1 Replies
View Related
Jan 9, 2013
I am using Cisco 7609 IOS15.0(1)S1 and Cisco 3600 IOS 15.1(2)EY.I am trying to provision VPNs over MPLS network.All I found in the documentation is how I attach a whole interface to a VRF.However, I need to be able to attach a VLAN (or any other matching criteria, for that matter) to a VRF.In other words, I want to be able to attach port 1/1 vlan 100 to VRF-A and port 1/1 vlan 200 to VRF-B.
View 1 Replies
View Related
