Configure ACS for Dynamic VLAN Assignment
December 22nd, 2009
For VLAN assignment we have to configure two ACS components group (properties of group and group mapping) and authorization.
In the navigation bar, click External User Databases. Then, click Database Group Mappings.
Click the external user database name for which you want to configure a group mapping.
In this example, it is Windows database.
In the resultant Domain Configurations page, click New configuration.
Note: By default you see only the domain \DEFAULT on this page.
The Define New Domain Configuration page appears..
In the Detected Domains box of this page, you should be able to see the Windows user database LAB. Click Submit.
The new Windows domain LAB appears in the list of domains in the Domain Configurations page.
Click the LAB domain.
The Group Mappings for the Domain: LAB table appears.
Click Add mapping.
The Create new group mapping for Domain: LAB page opens. The group list displays group names that are derived from the LAB database. In this Group set, you should be able to see the group vlan20 created in the AD of this lab domain.
Choose vlan20 from the group list, then click Add to selected.
In the ACS group drop-down box, choose Group20 to which you want to map users who belong to AD group: vlan 20.
Click Submit.
The group mapped to the ACS list appears at the bottom of the database groups column as shown in the example. The asterisk (*) at the end of each set of groups indicates that users who are authenticated with the external user database can belong to other groups besides those in the set.
Configure ACS Authorization Components or RADIUS Authorization Components (RAC)
RACs are sets of RADIUS attributes that are applied to switch during network authorization. After you group a set of RADIUS attributes in a RAC, you can make the RAC available when configuring network access profiles and use it as an enforcement command for the switch, sent in the RADIUS Access Accept packet.
Step 1. To configure RACs, choose Shared Profile Components > RADIUS Authorization Components and click the Add button for each new RAC you want to create. Each RAC can contain one or more vendor RADIUS attributes, including Cisco IOS/PIX 6.0 and IETF.
Step 2. Specify RAC entries, attribute assignments, and values. Create these RAC configurations for a IEEE 802.1x scenario (NAC Layer 2 IEEE 802.1x).
| Attribute | Vendor | Use Case | Definition |
| Tunnel-Type | IETF | IEEE 802.1x | Tunnel-Type (802) defined in RFC 3580 |
| Tunnel-Medium-Type | IETF | IEEE 802.1x | Tunnel-Medium-Type (VLAN) defined in RFC 3580 |
| Tunnel-Private-Group-ID | IETF | IEEE 802.1x | Tunnel-Private-Group-ID defined in RFC 3580. This attribute is used to tell the NAD which local VLAN the switch should assign to a port to which a user is connected. Cisco NADs accept both strings (VLAN name) and integers (VLAN ID) in this attribute. This attribute needs to be sent along with attributes 64 and 65. |
In my case it was:
| RAC Name | Vendor | Assigned Attributes | Value |
| 802.1x_Compliant_User | IETF | Tunnel-Type (64) | VLAN |
| IETF | Tunnel-Medium-Type (65) | 802 | |
| IETF | Tunnel-Private-Group-ID (81) | default |
Do not forget set up authorization on your switch, in case of Cisco device:
Switch(config)#aaa authorization network default group radius
