All Topics » Pulse Policy Secure

Guest Vlan in Cisco

Contributor (11)
Dec 13, 2013 7:57am

I have successfully completed the implementation of a UAC cluster with 802.1x authentication, now i want to configure the guest vlan for the clients to download the pulse client.

i used this configuration:


aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

radius-server host auth-port 1812 acct-port 1813 key juniper

radius-server deadtime 1


interface FastEthernet0/9 

 switchport access vlan 5
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 dot1x reauthentication
 dot1x guest-vlan 53
 spanning-tree portfast


I already have a MAG on the vlan 53, how can I do to put the UAC on that vlan?.

I have found an option under System>Network>VLANs


do I have to configure that on the UAC or it is another way to redirect from the switch?







Contributor (11)
Dec 17, 2013 11:46pm

Hi Gulia,


I understand your query.


You can configure RADIUS request attribute policies option available in MAG UAC where we can enforce the action of processing authentication requests based on information in the RADIUS packet before a connection can be authenticated.


You assign RADIUS request attribute policies as a realm restriction.


Using RADIUS attributes policy available in the UAC IC device you can return VLAN attribute in which the Radius client ( Cisco switch ) will assign the VLAN based on the return attribute.It can be a gusrt VLAN or any other VLAN.


To configure a RADIUS attributes policy:


In the admin console, select UAC > Network Access > RADIUS Attributes.

Click New Policy.


On the New Policy page:


For Name, enter a name to label this policy.(Optional) For Description, enter al description for the policy.


Under Location Group, select the location groups to which you want to apply this policy, and click Add. To apply the policy to all location groups, do not add any location groups and use the default setting (all) listed in the Selected Location Groups list.


Under RADIUS Attributes, select from the following options


Open Port?Check this option if you do not want to assign endpoints to a VLAN or return any RADIUS attributes. Selecting this check box disables all other RADIUS Attributes options.


VLAN?Select this option to configure VLAN assignment according to RFC 3580 by returning the RADIUS tunnel attributes to the NAD. Specify the existing VLAN ID on the network infrastructure that you want to use for the role(s) to which this policy applies. Selecting this option is equivalent to manually specifying the three RFC 3580 RADIUS tunnel attributes in the Return Attribute section.


Return Attribute?Select this option to specify the return attributes you want sent to the NAD.

This will resolve your query.


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!


    Contributor (11)
    Dec 18, 2013 2:36pm

    Hi giulia


    You are right way , you can create vlan and give ip address from guest vlan for guest access.

    You need to make switch port that connected to the uac as trunk port and set native vlan uac access vlan .

    and tag guest vlan both switch and uac