aaa authorization and aaa accounting with Cisco ACS and 1231 AP's

Discussion in 'Cisco' started by Chris_D, Jul 25, 2005.

  1. Chris_D

    Chris_D Guest

    I am trying to get aaa authorization working so that I can get Cisco
    Secure to dole out dhcp according to username but I can't find an
    example config on the cisco site.

    I struggled with aaa accounting as well but I managed to get that to
    work when I added "accounting method_list" to the ssid.

    If anyone has any useful config examples of either of these I would be
    grateful ?

    Drop the ZZZ to reply

    Cheers ...
     
    Chris_D, Jul 25, 2005
    #1
    1. Advertising

  2. Chris_D

    Guest

    Chris,

    I'm afraid you're barking up the wrong tree here.

    ACS can hand out IP addresses using the RADIUS
    Framed-IP-Address, but this works only in cases where
    the RADIUS client has some mechanism to hand the IP address
    to the end user.

    Some such RADIUS clients are PPP (which can give the end user
    the address via IPCP) and I believe IPsec VPN.

    However, an AP *cannot* take a Framed-IP-Address from RADIUS and
    hand it to a wireless client. In theory, one could imagine a feature
    wherein the AP takes that IP address from RADIUS and sticks it into
    an ephemeral client-specific DHCP binding, to be handed out via
    DHCP when/if that particular client asks for a DHCP address.
    However, we don't support any such feature and as far as I know have
    no plans to implement it.

    Best,

    Aaron
     
    , Jul 26, 2005
    #2
    1. Advertising

  3. Chris_D

    Chris_D Guest

    Thanks for clarifying that for me Aaron, I had my suspicions that it
    may be something like that as I had exhausted all avenues of
    investigation.

    I am assuming that tacacs+ will not poeform the task either ?

    The reason I looked into this originally was because I need to hand
    out IP addresses on a per vlan basis but when I have set up a lab with
    diferent (physical) dhcp servers connected to their coresponding vlans
    the clients don't always get the right address.

    If you can shed any light on this I would be grateful ?



    On 26 Jul 2005 12:09:34 -0700, "" <>
    wrote:

    >Chris,
    >
    >I'm afraid you're barking up the wrong tree here.
    >
    >ACS can hand out IP addresses using the RADIUS
    >Framed-IP-Address, but this works only in cases where
    >the RADIUS client has some mechanism to hand the IP address
    >to the end user.
    >
    >Some such RADIUS clients are PPP (which can give the end user
    >the address via IPCP) and I believe IPsec VPN.
    >
    >However, an AP *cannot* take a Framed-IP-Address from RADIUS and
    >hand it to a wireless client. In theory, one could imagine a feature
    >wherein the AP takes that IP address from RADIUS and sticks it into
    >an ephemeral client-specific DHCP binding, to be handed out via
    >DHCP when/if that particular client asks for a DHCP address.
    >However, we don't support any such feature and as far as I know have
    >no plans to implement it.
    >
    >Best,
    >
    >Aaron


    Drop the ZZZ to reply

    Cheers ...
     
    Chris_D, Jul 27, 2005
    #3
  4. Chris_D

    Guest

    > Thanks for clarifying that for me Aaron, I had my suspicions that it
    > may be something like that as I had exhausted all avenues of
    > investigation.


    > I am assuming that tacacs+ will not poeform the task either ?


    I don't think you can authenticate wireless EAP clients against
    Tacacs+, only RADIUS, but in any case, this has nothing to do with
    the AAA protocol used between the AP and the AAA server, but
    with the capabilities of the AP to assign an address to the wireless
    client.

    > The reason I looked into this originally was because I need to hand
    > out IP addresses on a per vlan basis but when I have set up a lab with
    > diferent (physical) dhcp servers connected to their coresponding vlans
    > the clients don't always get the right address.


    I don't know why your DHCP servers didn't assign the right addresses
    - this should not be a problem. I'd recommend that you focus on fixing
    this configuration.

    Btw, one thing you *can* do is to have ACS assign a wireless client
    to a VLAN on a per user basis. This flexibility is useful to some.
    Of course, you still have to have DHCP working right on the VLANs.

    Regards,

    Aaron
     
    , Jul 27, 2005
    #4
  5. Chris_D

    Chris_D Guest

    Thanks for your input Aaron .. it is appreciated

    I will set the original vlan configuration up again and try to get
    that running.

    On 27 Jul 2005 12:25:32 -0700, "" <>
    wrote:

    >> Thanks for clarifying that for me Aaron, I had my suspicions that it
    >> may be something like that as I had exhausted all avenues of
    >> investigation.

    >
    >> I am assuming that tacacs+ will not poeform the task either ?

    >
    >I don't think you can authenticate wireless EAP clients against
    >Tacacs+, only RADIUS, but in any case, this has nothing to do with
    >the AAA protocol used between the AP and the AAA server, but
    >with the capabilities of the AP to assign an address to the wireless
    >client.
    >
    >> The reason I looked into this originally was because I need to hand
    >> out IP addresses on a per vlan basis but when I have set up a lab with
    >> diferent (physical) dhcp servers connected to their coresponding vlans
    >> the clients don't always get the right address.

    >
    >I don't know why your DHCP servers didn't assign the right addresses
    >- this should not be a problem. I'd recommend that you focus on fixing
    >this configuration.
    >
    >Btw, one thing you *can* do is to have ACS assign a wireless client
    >to a VLAN on a per user basis. This flexibility is useful to some.
    >Of course, you still have to have DHCP working right on the VLANs.
    >
    >Regards,
    >
    >Aaron


    Drop the ZZZ to reply

    Cheers ...
     
    Chris_D, Aug 1, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Shiah

    aaa authorization exec|commands|network

    Michael Shiah, Oct 21, 2003, in forum: Cisco
    Replies:
    0
    Views:
    618
    Michael Shiah
    Oct 21, 2003
  2. mmccague
    Replies:
    5
    Views:
    11,896
    dgunawa
    Aug 13, 2008
  3. zombie

    aaa authorization level

    zombie, Feb 2, 2005, in forum: Cisco
    Replies:
    1
    Views:
    470
    jonathan
    Feb 20, 2005
  4. gazdav
    Replies:
    1
    Views:
    1,060
  5. Sakirana Karabudak

    Cannot login from ACS Admin -Cisco ACS 3.1

    Sakirana Karabudak, Dec 14, 2009, in forum: Cisco
    Replies:
    5
    Views:
    3,032
    Chino
    Dec 16, 2009
Loading...

Share This Page