RADIUS Authorization Components (RAC) doesn't work on ACS

Unanswered Question
Apr 17th, 2007
User Badges:
  • Bronze, 100 points or more

Hi,


I have made a shared RAC where I defined the following RADIUS attributes:


Tunnel-type: VLAN

Tunnel-medium-type: 802

Tunnel-Private-Group-ID: QuarantineVLAN


So with this RAC I want to chance the VLAN from a user that is Quarantined.


So in the NAP (Network Access Profiles) in the Authorization section, I added a rule that links the Quarantine Posture State with this RAC.


But even though the Quarantine state is returned by the Trust Agent (so the posture state is definitely Quarantine), the host stays in it's original VLAN instead of the Quarantine VLAN.


Anyone who knows a solution?

thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vivek Santuka Tue, 04/17/2007 - 07:34
User Badges:
  • Cisco Employee,

Hi,


Try using the vlan number instead of vlan name.


Regards,

Vivek

Anonymous (not verified) Wed, 04/18/2007 - 06:49
User Badges:

Hi Vsauntuka,


first of all thank you for the quick response!


I've tried this but unfortunately, it doesn't seem to work...


On the switch, this is my configuration for the fastethernet port where the client is on:


interface fa0/17

switchport mode access

dot1x port-control auto

spanning-tree portfast


If I debug on the switch (using "debug radius" ) I can see (for example) that the radius attribute with number 81 (tunnel-private-group-ID) is sent, but because of the encryption i guess I cannot understand the values that are sent with it ...


Any other suggestions?


thanks!

Anonymous (not verified) Thu, 04/19/2007 - 01:27
User Badges:

I found out that the attributes aren't working at all. They also don't work in the group settings. (I thought it worked before but that was because I already assigned the vlan to the switchports via the command "switchport access vlan 8").


I've checked those attributes to be registered in the RADIUS accounting-log, but they never have values in the log, only three dots instead.


Sometimes, with the command "debug radius", I can see these attributes (64: tunnel-type, 65: tunnel-medium-type and 81: tunnel-private-group-ID).


I've tried to make a new user who has the same per-user attributes and then debug on the switch with "debug aaa per-user" but this debugging doesn't return anything.


So it looks like the switch receives those attributes from the ACS server but they don't change the VLAN.


An example of the debug output:


attribute 64 6 0000000B

attribute 65 6 00000006

attribute 81 3 38191B43

thanks

Anonymous (not verified) Thu, 04/19/2007 - 05:09
User Badges:

Ok, i found the "solution" myself.


Actually it was a typing mistake in the switch configuration:

i typed:

aaa authorization network defualt group radius


in stead of:

aaa authorization network default group radius


Now this problem is solved, so i get into the correct VLAN. But in the Quarantine VLAN, the Cisco Trust Agent Icon remains yellow and show that he is still connecting. Also, every few minutes he asks for my user credentials.


But the device is in the correct VLAN and got the correct ip-address assigned from the DHCP-server in the quarantine VLAN zo that part works.

Anonymous (not verified) Fri, 04/20/2007 - 03:18
User Badges:

OK, I've solved the problem: you need to set the ePo server as the "default-gateway" for your Quarantine-VLAN. Otherwise, the client cannot connect for some reason with it.


So this topic can be marked as solved.

Actions

This Discussion