10-21-2009 11:26 AM
Hello,
I am trying to setup 802.1x with VLAN assignment. I have sucessfully gotten authentication to work, but the VLAN assigment does not get applied. I have tried this on a CE500, and a WS2950-12 both experiance the same problem.
If I "debug dot1x all" I get some messages about "dot1x-ev:Received VLAN Id -1", if I packet capture on my radius server I can see that the correct attribute pairs are going out. Nothing in the notes say that 802.1x with dynamic VLANs wont work.
Attribute Value Pairs
AVP: l=6 t=Framed-Protocol(7): PPP(1)
AVP: l=6 t=Service-Type(6): Framed-User(2)
AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)
AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20
AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)
AVP: l=6 t=EAP-Message(79) Last Segment[1]
AVP: l=46 t=Class(25): 53F9068C00000137000102000A011E630000000000000000...
AVP: l=14 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=51 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)
AVP: l=18 t=Message-Authenticator(80): 33B53112C51B15C40BFBDCE687F4C9C4
Solved! Go to Solution.
10-21-2009 12:32 PM
Please check if all 3 of these attributes are set correctly on the Radius server:
AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)
AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20
AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)
It seems like only the Tunnel-Private-Group-Id is set, not the other two.
cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
10-21-2009 12:32 PM
Please check if all 3 of these attributes are set correctly on the Radius server:
AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)
AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20
AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)
It seems like only the Tunnel-Private-Group-Id is set, not the other two.
cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
10-21-2009 02:06 PM
I was finally able to make vlan assignment work on the WS2950-12, but it still does not work on the CE500.
Running "debug dot1x all" on the CE500 web CLI does not show any logging of ""dot1x-ev:Received VLAN Id -1" like the WS2950-12 did. This leads me to believe that the CE500 does not support 802.1x VLAN assignment even though I cannot find any documentation saying that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: