802.1x with vlan assignment

Answered Question
Oct 21st, 2009
User Badges:

Hello,


I am trying to setup 802.1x with VLAN assignment. I have sucessfully gotten authentication to work, but the VLAN assigment does not get applied. I have tried this on a CE500, and a WS2950-12 both experiance the same problem.



If I "debug dot1x all" I get some messages about "dot1x-ev:Received VLAN Id -1", if I packet capture on my radius server I can see that the correct attribute pairs are going out. Nothing in the notes say that 802.1x with dynamic VLANs wont work.


Attribute Value Pairs

AVP: l=6 t=Framed-Protocol(7): PPP(1)

AVP: l=6 t=Service-Type(6): Framed-User(2)

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

AVP: l=6 t=EAP-Message(79) Last Segment[1]

AVP: l=46 t=Class(25): 53F9068C00000137000102000A011E630000000000000000...

AVP: l=14 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=51 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=18 t=Message-Authenticator(80): 33B53112C51B15C40BFBDCE687F4C9C4

Correct Answer by Herbert Baerten about 7 years 8 months ago

Please check if all 3 of these attributes are set correctly on the Radius server:


AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)


It seems like only the Tunnel-Private-Group-Id is set, not the other two.


cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Herbert Baerten Wed, 10/21/2009 - 12:32
User Badges:
  • Cisco Employee,

Please check if all 3 of these attributes are set correctly on the Radius server:


AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)


It seems like only the Tunnel-Private-Group-Id is set, not the other two.


cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

yaplej Wed, 10/21/2009 - 14:06
User Badges:

I was finally able to make vlan assignment work on the WS2950-12, but it still does not work on the CE500.


Running "debug dot1x all" on the CE500 web CLI does not show any logging of ""dot1x-ev:Received VLAN Id -1" like the WS2950-12 did. This leads me to believe that the CE500 does not support 802.1x VLAN assignment even though I cannot find any documentation saying that.

Actions

This Discussion