I am trying to get aaa authorization working so that I can get Cisco Secure to dole out dhcp according to username but I can't find an example config on the cisco site.
I struggled with aaa accounting as well but I managed to get that to work when I added "accounting method_list" to the ssid.
If anyone has any useful config examples of either of these I would be grateful ?
Drop the ZZZ to reply
Cheers ...
Chris,
I'm afraid you're barking up the wrong tree here.
ACS can hand out IP addresses using the RADIUS Framed-IP-Address, but this works only in cases where the RADIUS client has some mechanism to hand the IP address to the end user.
Some such RADIUS clients are PPP (which can give the end user the address via IPCP) and I believe IPsec VPN.
However, an AP *cannot* take a Framed-IP-Address from RADIUS and hand it to a wireless client. In theory, one could imagine a feature wherein the AP takes that IP address from RADIUS and sticks it into an ephemeral client-specific DHCP binding, to be handed out via DHCP when/if that particular client asks for a DHCP address. However, we don't support any such feature and as far as I know have no plans to implement it.
Best,
Aaron
Thanks for clarifying that for me Aaron, I had my suspicions that it may be something like that as I had exhausted all avenues of investigation.
I am assuming that tacacs+ will not poeform the task either ?
The reason I looked into this originally was because I need to hand out IP addresses on a per vlan basis but when I have set up a lab with diferent (physical) dhcp servers connected to their coresponding vlans the clients don't always get the right address.
If you can shed any light on this I would be grateful ?
Drop the ZZZ to reply
Cheers ...
I don't think you can authenticate wireless EAP clients against Tacacs+, only RADIUS, but in any case, this has nothing to do with the AAA protocol used between the AP and the AAA server, but with the capabilities of the AP to assign an address to the wireless client.
I don't know why your DHCP servers didn't assign the right addresses
- this should not be a problem. I'd recommend that you focus on fixing this configuration.
Btw, one thing you *can* do is to have ACS assign a wireless client to a VLAN on a per user basis. This flexibility is useful to some. Of course, you still have to have DHCP working right on the VLANs.
Regards,
Aaron
Thanks for your input Aaron .. it is appreciated
I will set the orig>> Thanks for clarifying that for me Aaron, I had my suspicions that it
Drop the ZZZ to reply
Cheers ...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.