Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2972
Views
0
Helpful
7
Replies

why user can't get right vlan by 802.1X

Go to solution
QFX527518
Level 1
Level 1

‎02-05-2010 06:37 AM - edited ‎03-06-2019 09:35 AM

on the WS-C2950G-24-E1,define dot1X,now user can pass the authen,but user can get right vlan why?

can everyone give some example config the 802.1X on the swith.

or the switch can't support dynamic ass vlan with the radius.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sachinraja
Level 9
Level 9
In response to QFX527518

‎02-06-2010 05:42 AM

Hi

what version of IOS are you using ? This feature is supported only on Enhanced Images...

you say that your normal dot1x works good, but only the dynamic port assignment using radius doesnt work ? am i right..

configure the following on your ACS server:

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

you need to send the radius vsa attributes to and from the switch.. do a debug dot1x and debug radius to see the exact flow of traffic to & from radius server.. can you share your configurations please ?

You can look at the following URL for more info:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_20_ea2/configuration/guide/sw8021x.html#wp1095811

Hope this helps.. all the best

Raj

View solution in original post

0 Helpful
7 Replies 7

Go to solution
sachinraja
Level 9
Level 9

‎02-05-2010 08:28 AM

Hi

Can you post your switch configruation ?

Normally with dot1x, you have different VLANs which you can configure on a switch port.. Access VLAN - when the user authentication is successful, guest vlan - when the user does not have a dot1x client, authentication failure vlan - when the user authentication fails for a particular no of times...

is the authentication fine in your case ? is he getting onto the access vlan configured ? Yes, with radius you can inject dynamic VLAN information.. what radius server are u using ? what kind of client are you using ?

Switch(config)# dot1x system-auth-control

Switch(config)# interface fastethernet0/1


Switch(config-if)# switchport mode access


Switch(config-if)# dot1x port-control auto

Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123

Switch(config-if)# dot1x guest-vlan 9

I copied these configs from the following guide. you can have a look at this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html#wp1047914

Hope this helps.. all the best..

Raj

0 Helpful

Go to solution
QFX527518
Level 1
Level 1
In response to sachinraja

‎02-06-2010 05:10 AM

thanks sachinraja .

in our case,user can pass the authen.if user set the client ip add blong to default(vlan1),user client can work correct.if user define the ip add blong other vlan(like 20),user client can't work correct.like cant ping the gateway of the vlan 20.

in our acs(version 3.3),deifne the radius [081] Tunnel-Private-Group-ID is 20.user debug radius,we can see radius have send the vlan information to the switch ,but the switch cant change the inferface access vlan.

other define aaa,we have define config-command and network.

why???

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to QFX527518

‎02-06-2010 05:42 AM

Hi

what version of IOS are you using ? This feature is supported only on Enhanced Images...

you say that your normal dot1x works good, but only the dynamic port assignment using radius doesnt work ? am i right..

configure the following on your ACS server:

Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

you need to send the radius vsa attributes to and from the switch.. do a debug dot1x and debug radius to see the exact flow of traffic to & from radius server.. can you share your configurations please ?

You can look at the following URL for more info:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_20_ea2/configuration/guide/sw8021x.html#wp1095811

Hope this helps.. all the best

Raj

0 Helpful

Go to solution
QFX527518
Level 1
Level 1
In response to sachinraja

‎02-09-2010 06:10 PM

the switch config like this.pls. through trunk port,the switch study 30 vlan.including 73\74\75\1.etc.

want the fas0/1 passed the authen,then obtain vlan 73.but now can't.

-------------------------------------------------------

KF29SW42-C2#sh run
Building configuration...

Current configuration : 4199 bytes
!
! No configuration change since last restart
!
version 12.1
ame KF29SW42-C2
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting commands 15 default start-stop group tacacs+
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
interface FastEthernet0/1
switchport mode access
switchport port-security aging time 10
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan dynamic
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 73
switchport mode access
!
.....................................
interface FastEthernet0/23
switchport access vlan 85
switchport mode access
!
interface FastEthernet0/24
description To_KF45SW04
switchport mode trunk
!
interface Vlan1
ip address 7.143.3.192 255.255.255.0
no ip route-cache
!
ip default-gateway 7.143.3.254
radius-server host 7.135.31.213 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 3
radius-server vsa send accounting
radius-server vsa send authentication
!

KF29SW42-C2#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 20:58 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000

0 Helpful

Go to solution
QFX527518
Level 1
Level 1
In response to sachinraja

‎02-10-2010 05:12 PM

we change the IOS,and user can auto assigment the vlan .thx

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-05-2010 11:29 AM 

on the WS-C2950G-24-E1,define dot1X,now user can pass the authen,but user can get right vlan why?
can everyone give some example config the 802.1X on the swith.
or the switch can't support dynamic *** vlan with the radius.

Hi,

Check out the below two link with respect to cisco switch and cisco ACS for 802.1x configuration hope that help

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html#wp1047914

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml

Ganesh.H

0 Helpful

Go to solution
QFX527518
Level 1
Level 1
In response to Ganesh Hariharan

‎02-09-2010 06:08 PM

the switch config like this.pls. through trunk port,the switch study 30 vlan.including 73\74\75\1.etc.

want the fas0/1 passed the authen,then obtain vlan 73.but now can't.

-------------------------------------------------------

KF29SW42-C2#sh run
Building configuration...

Current configuration : 4199 bytes
!
! No configuration change since last restart
!
version 12.1
ame KF29SW42-C2
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius
aaa accounting commands 15 default start-stop group tacacs+
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
interface FastEthernet0/1
switchport mode access
switchport port-security aging time 10
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan dynamic
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 73
switchport mode access
!
.....................................
interface FastEthernet0/23
switchport access vlan 85
switchport mode access
!
interface FastEthernet0/24
description To_KF45SW04
switchport mode trunk
!
interface Vlan1
ip address 7.143.3.192 255.255.255.0
no ip route-cache
!
ip default-gateway 7.143.3.254
radius-server host 7.135.31.213 auth-port 1812 acct-port 1813 key cisco
radius-server retransmit 3
radius-server vsa send accounting
radius-server vsa send authentication
!

KF29SW42-C2#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 20:58 by yenanh
Image text-base: 0x80010000, data-base: 0x805A8000

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card