Solved: Send port vlan to radius/ACS

David Coupez · ‎04-30-2010

Hello,

I'm currently looking a way to enable to switch to send the port VLAN in a RADIUS request. When a dot1x authentication occurs, the switch sends loads of information to the ACS but not the VLAN.

I found the RADIUS attribute 87 (NAS-Port-Id) which is apparently not supported on catalyst switches but even then, only the port name is given (for example FastEthernet0/2).

Any other ideas?

Thanks for your help,

David

rwagner · ‎05-04-2010

AH!

I do not believe your exact answer exist. You might want to look at RFC4675. With some tweeking of vlan memberships and vlan id's you may be able to get what you want to work how you want it to work. Minimally you can setup tagging so that users who login will not have access to vlans they should not have access to and it sounds like that is your big picture goal.

View solution in original post

rwagner · ‎05-03-2010

I am assuming since you posted in LAN that this is not for a VPN assignment.

The other problem with your request is that your saying you want the switch to send the vlan to radius? If you wanted to send vlan info somewhere you can just have a linux server grab logs and then send the data to anywhere you want.

The more difficult configuration, and what people usually ask for, is to have Radius set a vlan on a switch. If this is what you are trying to do I would recommend this to help you:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

David Coupez · ‎05-04-2010

Thank you for your reply.

Indeed, it has nothing to do with VPN.

My need is well to send the vlan information from the switch to the radius server (not the opposite which can be easily solved by IETF attributes).

I'd like to use the VLAN information (in addition to others) to determine whether a client is granted access or not.

Thank you for your time,

David

rwagner · ‎05-04-2010

Follow the instructions in that link. It will show you how to identify to exactly that.

David Coupez · ‎05-04-2010

If the link you're speakin of is "Dynamic VLAN Assignment with RADIUS", it's not what I'm looking for.

I know how to assign a dynamic vlan on a port, my problem is far the opposite: using the static VLAN configured on a port in the authentication decision process.

Thanks

rwagner · ‎05-04-2010

IC.

Fill in the blank so we can better understand your question/goal.

1) User walks up to a workstation and tries to login. The workstation is on vlan 10.

2) The user is authenticated with their windows AD username/password.

3) (What do you want the vlan being used to do)

David Coupez · ‎05-04-2010

The purpose is reach the same goal as dynamic vlan but with statics.

For example, a port is configured in vlan 10. A device connects on the port and initiate a eapol negociation.

A radius packet which include VLAN number is sent to the radius. Thanks to the account/machine information AND the vlan, the RADIUS check if the account belongs to a specific AD group. If it does, authentication succed and port is opened.

In other words, the purpose is to refuse a person from a service A to access a port statically configured for a service B.

rwagner · ‎05-04-2010

AH!

I do not believe your exact answer exist. You might want to look at RFC4675. With some tweeking of vlan memberships and vlan id's you may be able to get what you want to work how you want it to work. Minimally you can setup tagging so that users who login will not have access to vlans they should not have access to and it sounds like that is your big picture goal.

David Coupez · ‎05-06-2010

Mmmh, I think I'll have to stick to Cisco's recommandation through Dynamic VLANS. I cannot rely on unsupported commands.

I'll find a way to deal with dynamic vlans.

Thank you for your time,

David