Enhanced Integration With Cisco Secure Acs - Cisco SD2008T-NA Configuration Manual

Chapter 1 Overview
VLAN, access control list (ACL), DHCP server, and physical port assignments. This MAC Filtering can
be used as a coarse version of AAA Override, and normally takes precedence over any AAA (RADIUS
or other) Override.
However, when Allow AAA Override is enabled, the RADIUS (or other AAA) server can alternatively
be configured to return QoS
Allow AAA Override gives the AAA Override precedence over the MAC Filtering parameters set in the
controller; if there are no AAA Overrides available for a given MAC Address, the operating system uses
the MAC Filtering parameters already in the controller. This AAA (RADIUS or other) Override can be
used as a finer version of AAA Override, but only takes precedence over MAC Filtering when Allow
AAA Override is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example) must
already be defined in the controller configuration.
In all cases, the operating system will use QoS
by the AAA server or MAC Filtering regardless of the Layer 2 and/or Layer 3 authentication used.
Also note that the operating system only moves clients from the default Cisco UWN Solution WLAN
VLAN to a different VLAN when configured for MAC filtering, 802.1X, and/or WPA Layer 2
authentication. To configure WLANs, refer to

Enhanced Integration with Cisco Secure ACS

The identity-based networking feature uses authentication, authorization, and accounting (AAA)
override. When the following vendor-specific attributes are present in the RADIUS access accept
message, the values override those present in the wireless LAN profile:
•
•
•
•
In this release, support is being added for the AAA server to return the VLAN number or name using the
standard "RADIUS assigned VLAN name/number" feature defined in IETF RFC 2868 (RADIUS
Attributes for Tunnel Protocol Support). To assign a wireless client to a particular VLAN, the AAA
server sends the following attributes to the controller in the access accept message:
•
•
•
This enables Cisco Secure ACS to communicate a VLAN change that may be a result of a posture
analysis. Benefits of this new feature include:
•
•
This feature supports 2000, 2100 and 4400 series controllers and 1000, 1130, 1200 and 1500 series
lightweight access points.
OL-9141-03
, DSCP, 802.1p priority tag values
QoS level
802.1p value
VLAN interface name
Access control list (ACL) name
IETF 64 (Tunnel Type): VLAN
IETF 65 (Tunnel Medium Type): 802
IETF 81 (Tunnel Private Group ID): VLAN # or VLAN Name String
Integration with Cisco Secure ACS reduces installation and setup time
Cisco Secure ACS operates smoothly across both wired and wireless networks
and ACL on a per-MAC Address basis.
, DSCP, 802.1p priority tag values
Chapter 6.
Cisco Wireless LAN Controller Configuration Guide
Identity Networking
and ACL provided
1-13