Send port vlan to radius/ACS

Answered Question
Apr 30th, 2010

Hello,

I'm currently looking a way to enable to switch to send the port VLAN in a RADIUS request. When a dot1x authentication occurs, the switch sends loads of information to the ACS but not the VLAN.

I found the RADIUS attribute 87 (NAS-Port-Id) which is apparently not supported on catalyst switches but even then, only the port name is given (for example FastEthernet0/2).

Any other ideas?

Thanks for your help,

David

I have this problem too.
0 votes

AH!

I do not believe your exact answer exist.  You might want to look at RFC4675.  With some tweeking of vlan memberships and vlan id's you may be able to get what you want to work how you want it to work.  Minimally you can setup tagging so that users who login will not have access to vlans they should not have access to and it sounds like that is your big picture goal.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

I am assuming since you posted in LAN that this is not for a VPN assignment.

The other problem with your request is that your saying you want the switch to send the vlan to radius?  If you wanted to send vlan info somewhere you can just have a linux server grab logs and then send the data to anywhere you want.

The more difficult configuration, and what people usually ask for, is to have Radius set a vlan on a switch.  If this is what you are trying to do I would recommend this to help you:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

David Coupez Tue, 05/04/2010 - 00:24

Thank you for your reply.

Indeed, it has nothing to do with VPN.

My need is well to send the vlan information from the switch to the radius server (not the opposite which can be easily solved by IETF attributes).

I'd like to use the VLAN information (in addition to others) to determine whether a client is granted access or not.

Thank you for your time,

David

David Coupez Tue, 05/04/2010 - 06:40

If the link you're speakin of is "Dynamic VLAN Assignment with RADIUS", it's not what I'm looking for.

I know how to assign a dynamic vlan on a port, my problem is far the opposite: using the static VLAN configured on a port in the authentication decision process.

Thanks

David Coupez Tue, 05/04/2010 - 07:44

The purpose is reach the same goal as dynamic vlan but with statics.

For example, a port is configured in vlan 10. A device connects on the port and initiate a eapol negociation.

A radius packet which include VLAN number is sent to the radius. Thanks to the account/machine information AND the vlan, the RADIUS check if the account belongs to a specific AD group. If it does, authentication succed and port is opened.

In other words, the purpose is to refuse a person from a service A to access a port statically configured for a service B.

Correct Answer

AH!

I do not believe your exact answer exist.  You might want to look at RFC4675.  With some tweeking of vlan memberships and vlan id's you may be able to get what you want to work how you want it to work.  Minimally you can setup tagging so that users who login will not have access to vlans they should not have access to and it sounds like that is your big picture goal.

David Coupez Thu, 05/06/2010 - 04:22

Mmmh, I think I'll have to stick to Cisco's recommandation through Dynamic VLANS. I cannot rely on unsupported commands.

I'll find a way to deal with dynamic vlans.

Thank you for your time,

David

Actions

This Discussion