ACS NAC and VLANs.

Unanswered Question
May 1st, 2007

We are working on configuring a NAC Framework test network. We've got to the point where we can successfully evaluate and flag a client PC as healthy or quarantine and enable/disable it's switchport as appropriate. The next step that we are having a problem with is assigning the port to a VLAN, whatever we do the port always seems to stay in the default VLAN1. We've created additional VLANs for healthy and quarantined PCs but can't get the ports assigned whatever we try. We're pretty sure we are getting the syntax of the various settings in ACS correct as wherever possible we are using templates to create settings profiles and where no templates are available we've checked our settings very carefully.

The only error we can see is from a radius debug on the switch during the authentication process where it returns these messages:

03:48:39: dot1x-ev:Received VLAN is No Vlan

03:48:39: dot1x-ev:Received VLAN Id -1

There are several repeats of these during the debug.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
phoonts01 Wed, 05/30/2007 - 11:29

did you configure these 3 attributes? You must set them so that the VLAN ID/Name can be assigned correctly. And on the switch you must include AAA network too.

IETF 64 (Tunnel Type)Set this to VLAN

IETF 65 (Tunnel Medium Type) Set this to 802

IETF 81 (Tunnel Private Group ID)Set this to VLAN ID/name

andrew.brazier@... Wed, 05/30/2007 - 23:02

Yes I had all those set but I have solved the problem! I'd upgraded IOS on the switch to the required version for NAC, executed the boot command to get it to boot the correct version but for some reason it didn't take effect. Took me a while to notice it was still running the old IOS.

Actions

This Discussion