In this tutorial , I will discuss IEEE 802.1X Port-Based Access Control Using Authentication from Cisco Secure ACS 5.X using dynamic VLAN assignment.The basic idea behind the standard is to authenticate and authorize before a user can connect to the physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure.

Here, we have following three basic components of IEEE 802.1x architecture :

  • Authentication Server  :Cisco Secure ACS 5.X
  • Authenticator                :Catalyst Switch
  • Client or Supplicant    :XP Native Client (or AnyConnect Secure Mobility Client etc.)

In order to assign a VLAN to a client upon successful authentication i.e. via dynamic VLAN assignment , following RADIUS attributes need to be  pushed to Catalyst Switch:

  •  [064] Tunnel-Type
  •  [065] Tunnel-Medium-Type
  •  [081] Tunnel-Private-Group-ID

In one of previous tutorials i.e time-based access restrictions, we discussed use of Authorization Profiles. In this tutorial, we would see how we can configure above listed RADIUS attributes in an authorization profile for Dynamic VLAN assignment.



Let’s say , we have 2 users in 2 different departments i.e one user is in HR department, other user is in ACCOUNTS department.We wish to assign different VLANs to these corporate users based on their departments i.e HR VLAN will be vlan50 & ACCT VLAN will be vlan51

IEEE 802.1x Port Based Access Control

First two attributes i.e. Tunnel-Type & Tunnel-Medium-Type will be same in an Authorization Profile. Last attribute Tunnel-Medium-Group-ID will be assigned appropriately for each dynamic VLAN assignment i.e.

  • For HR Authorization Profile,  Tunnel-Medium-Group-ID will be 50
  • For ACCT Authorization Profile,  Tunnel-Medium-Group-ID will be 51

For sake of completeness, here is the SWITCH configuration

aaa new-model
radius-server host key CiscoKey
aaa authentication dot1x default group radius
aaa authorization network default group radius
!                            !
dot1x system-auth-control
interface FastEthernet1//12
switchport mode access
authentication port-control auto
dot1x pae authenticator
dot1x guest-vlan 25
dot1x auth-fail vlan 30
spanning-tree portfast
no shutdown
vlan 50
vlan 51


Cisco Secure ACS 5X Authorization Profiles

Next, Configure an Authorization Profile for each group i.e HR VLAN Profile (VLAN 50) & ACCT VLAN Profile (VLAN 51 ).

Authorization Profile for HR users will look like :

Authorization Profile for ACCT users will be like :

Upon successful authentication, users will be assigned appropriate VLANs via RADIUS attributes configured on Cisco Secure ACS 5.X

Complete End to End configuration  steps for this scenario are covered in Cisco Secure ACS 5X Deployment Guide ,

  • Installing CA Certificate,
  • adding AAA Client in ACS,
  • Creating users for each group in ACS ( or an external directory e.g. Active Directory) ,
  • Configuring Device Filter , Authorization Profile ,
  • Access Service setup & different EAP types layout,
  • Switch Configuriation,
  • Host End Station (Supplicant) configuration & many more

Enjoy !


Tags: , , , , , ,