dynamic vlan assignment besides vmps

psychogenic · Guest

Hey all,

Am wonderng if there are any other solutions for dynamic assignment of
vlans other than URT (whihc seems overly expensive) and VMPS (server
only seems to work on CatOS whihc none my switches run)? Basically I
want to set up a conference room and our guest area where any unknown
MAC addresses that gets plugged in will b e sent on one vlan and
trusted laptops in our network gets put on another.

Thanks!

Merv · Guest

Well if you have a RADIUS server, then see

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00801d0189.html#1038739

Merv · Guest

Or perhaps you could set up two VLANS - one with an open SSID (for
guest) and the other SSID can be authenticated (using FAST_EAP for
example).

You could also apply a MAC filter to the secure SSID using the
dot11 association mac-list command.

psychogenic · Guest

I do but can that also be applied to a wired network (not touching
wireless yet)?

Thanks.

Merv wrote:

Merv · Guest

what switch and IOS version ?

psychogenic · Guest

backbone is 6500 running IOS v 12.2, and our on floor switches are made
up of 3550s and some 3500XLs, all running IOS v 12.2

Merv wrote:
> what switch and IOS version ?

Merv · Guest

take a look at 802.1x authentication and dynamic VLAN assignment

http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85c4.html#1062632

psychogenic · Guest

Hmm, would this break tacacs+ on the switches? I've added them all to
SecureACS for authentication and authorization for the admins here, and
also am using local accounts on the devices in case the ACS server is
unreachable.

Merv wrote:

Merv · Guest

If you have SecureACS then take a look at the Network Admission Control
feature (NAC)

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00805ec1ad.html

C Kim · Guest

No. Dot1x will not break tacacs+. two separate things.