Question in regards to IAS, How do I assign a DHCP address range to a Remote Access policy (dynamic VLAN with DHCP address assignment)
hi all,
i working on test lab right main objective assign dynamic port based vlaning via 802.1x.
i using
1. linksys wrvs4400n primary router , switch
2. microsoft server 2003 active directory, ias , dhcp
my topology looks
internet --> linksys wrvs4400n
port 1 --> assigned microsoft server, server vlan (vlan id 1)
port 2 --> vlan (vlan id 2)
port 3 --> marketing vlan (vlan id 3)
port 4 --> design vlan (vlan id 4)
i going using 172.16.0.x /24 network for test lab. each vlan assigned 64 ip addresses. current vlan scheme using.
vlan 1 -> ip range 172.16.0.1 0.61 -> gateway 172.16.0.62 (servers)
vlan 2 -> ip range 172.16.0.65 0.125 -> gateway 172.16.0.126 (it)
vlan 3 -> ip range 172.16.0.129 0.189 -> gateway 172.16.0.190 (marketing)
vlan 4 -> ip range 172.16.0.193 0.253 -> gateway 172.16.0.254 (design)
i set servers ip address 172.16.0.1 255.255.255.192. created domain, enabled radius , set communicate linksys router (default lan ip 172.16.0.62 on router).
then configured router 802.1x port settings , pointed ias server (172.16.0.1).
on ias server configured remote access polices named it lan. created 2 policy coniditons
1. nas-port type matches "ethernet or wireless ieee 802.11
2. windows-group matches "elab\it radius (group created in ad)
i included these attributes policies
1. tunnel-medium-type: 802
2. tunnel-pvt-group-id: 2
3. tunnel-type: virtual lan
after configuring ias configured new dhcp scope hoping assign it lan remote access policy. the name of scope lan , address range 172.16.0.65 0.126.
after doing stuck. want know how can assign dhcp scope remote access policy when log in user radius group, assigned ip based on scope belongs (172.16.0.65 0.125)?
for example: created user named graham , belongs radius group in ad. when logs domain want him assigned ip address based on lan scope (something 172.16.0.66). even if user logs in through wifi or remote vpn want him ip address based on vlan scope, possible?
do have thise through rras or group policy tried googling around couldn't find solution. if theres can me out helpful.
thanks alot!
graham
i working on test lab right main objective assign dynamic port based vlaning via 802.1x.
i using
1. linksys wrvs4400n primary router , switch
2. microsoft server 2003 active directory, ias , dhcp
my topology looks
internet --> linksys wrvs4400n
port 1 --> assigned microsoft server, server vlan (vlan id 1)
port 2 --> vlan (vlan id 2)
port 3 --> marketing vlan (vlan id 3)
port 4 --> design vlan (vlan id 4)
i going using 172.16.0.x /24 network for test lab. each vlan assigned 64 ip addresses. current vlan scheme using.
vlan 1 -> ip range 172.16.0.1 0.61 -> gateway 172.16.0.62 (servers)
vlan 2 -> ip range 172.16.0.65 0.125 -> gateway 172.16.0.126 (it)
vlan 3 -> ip range 172.16.0.129 0.189 -> gateway 172.16.0.190 (marketing)
vlan 4 -> ip range 172.16.0.193 0.253 -> gateway 172.16.0.254 (design)
i set servers ip address 172.16.0.1 255.255.255.192. created domain, enabled radius , set communicate linksys router (default lan ip 172.16.0.62 on router).
then configured router 802.1x port settings , pointed ias server (172.16.0.1).
on ias server configured remote access polices named it lan. created 2 policy coniditons
1. nas-port type matches "ethernet or wireless ieee 802.11
2. windows-group matches "elab\it radius (group created in ad)
i included these attributes policies
1. tunnel-medium-type: 802
2. tunnel-pvt-group-id: 2
3. tunnel-type: virtual lan
after configuring ias configured new dhcp scope hoping assign it lan remote access policy. the name of scope lan , address range 172.16.0.65 0.126.
after doing stuck. want know how can assign dhcp scope remote access policy when log in user radius group, assigned ip based on scope belongs (172.16.0.65 0.125)?
for example: created user named graham , belongs radius group in ad. when logs domain want him assigned ip address based on lan scope (something 172.16.0.66). even if user logs in through wifi or remote vpn want him ip address based on vlan scope, possible?
do have thise through rras or group policy tried googling around couldn't find solution. if theres can me out helpful.
thanks alot!
graham
hi,
this isn't nap related question, try help.
first, not entirely sure linksys router supports vlan assignment using radius tunnel attributes (tunnel-pvt-group-id). if have working, can ignore comment.
when using vlans describe, method assign dhcp scope particular policy use the giaddr field of dhcp request packet. configure switch ip-helper address similar to:
vlan 1
name "management"
untagged 2-26
ip address 10.0.0.2 255.0.0.0
no untagged 1
exit
vlan 2
name "compliant"
ip address 20.0.0.1 255.255.0.0
ip helper-address 10.0.0.1
exit
vlan 3
name "noncompliant"
untagged 1
ip address 30.0.0.1 255.255.0.0
ip helper-address 10.0.0.1
exit
when client authenticates, switch vlans , acquire ip address scope assigned vlan.
i hope helps,
-greg
this isn't nap related question, try help.
first, not entirely sure linksys router supports vlan assignment using radius tunnel attributes (tunnel-pvt-group-id). if have working, can ignore comment.
when using vlans describe, method assign dhcp scope particular policy use the giaddr field of dhcp request packet. configure switch ip-helper address similar to:
vlan 1
name "management"
untagged 2-26
ip address 10.0.0.2 255.0.0.0
no untagged 1
exit
vlan 2
name "compliant"
ip address 20.0.0.1 255.255.0.0
ip helper-address 10.0.0.1
exit
vlan 3
name "noncompliant"
untagged 1
ip address 30.0.0.1 255.255.0.0
ip helper-address 10.0.0.1
exit
when client authenticates, switch vlans , acquire ip address scope assigned vlan.
i hope helps,
-greg
Windows Server > Network Access Protection
Comments
Post a Comment