Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
2
Replies

802.1x with vlan assignment

Go to solution
yaplej
Level 1
Level 1

‎10-21-2009 11:26 AM

Hello,

I am trying to setup 802.1x with VLAN assignment. I have sucessfully gotten authentication to work, but the VLAN assigment does not get applied. I have tried this on a CE500, and a WS2950-12 both experiance the same problem.

If I "debug dot1x all" I get some messages about "dot1x-ev:Received VLAN Id -1", if I packet capture on my radius server I can see that the correct attribute pairs are going out. Nothing in the notes say that 802.1x with dynamic VLANs wont work.

Attribute Value Pairs

AVP: l=6 t=Framed-Protocol(7): PPP(1)

AVP: l=6 t=Service-Type(6): Framed-User(2)

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

AVP: l=6 t=EAP-Message(79) Last Segment[1]

AVP: l=46 t=Class(25): 53F9068C00000137000102000A011E630000000000000000...

AVP: l=14 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=51 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=18 t=Message-Authenticator(80): 33B53112C51B15C40BFBDCE687F4C9C4

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-21-2009 12:32 PM

Please check if all 3 of these attributes are set correctly on the Radius server:

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

It seems like only the Tunnel-Private-Group-Id is set, not the other two.

cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎10-21-2009 12:32 PM

Please check if all 3 of these attributes are set correctly on the Radius server:

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

It seems like only the Tunnel-Private-Group-Id is set, not the other two.

cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

0 Helpful

Go to solution
yaplej
Level 1
Level 1

‎10-21-2009 02:06 PM

I was finally able to make vlan assignment work on the WS2950-12, but it still does not work on the CE500.

Running "debug dot1x all" on the CE500 web CLI does not show any logging of ""dot1x-ev:Received VLAN Id -1" like the WS2950-12 did. This leads me to believe that the CE500 does not support 802.1x VLAN assignment even though I cannot find any documentation saying that.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents