C2960 with RADIUS

Answered Question
Jul 27th, 2010

Hello, everyone!

I have a problem with dynamic VLAN assignment. The setup is basically the following:

Host - Switch - RADIUS Server

I have no problem authenticating, messages get through without any problems.

The thing is the switch doesn't seem to notice the additional info the RADIUS server provides, e.g. the [64] Tunnel-Type, [65] Tunnel-Medium-Type, and [81] Tunnel-Private-Group-ID.

Here is my sw configuration and some radius configuration

Current configuration : 1795 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication dot1x default group radius

!

!

!

aaa session-id common

system mtu routing 1500

ip subnet-zero

!

!

!

!

!

!

dot1x system-auth-control

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

interface GigabitEthernet0/2

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

!

interface GigabitEthernet0/3

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

!

interface Vlan1

ip address 10.2.1.4 255.255.255.0

no ip route-cache

!

ip http server

ip http secure-server

radius-server host 10.2.1.2 auth-port 1812 acct-port 1813

radius-server key testing123

!

control-plane

!

!

!

end

The VLANs are:

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4

                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8

                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12

                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16

                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20

                                                Gi0/21, Gi0/22, Gi0/23, Gi0/24

2    MAN                              active

3    GRE                              active

4    BLU                              active

13   GUEST                            active

99   NATVIE                           active

1002 fddi-default                     act/unsup

1003 token-ring-default               act/unsup

1004 fddinet-default                  act/unsup

1005 trnet-default                    act/unsup

The RADIUS user is:
userc   Cleartext-Password := "pass3"
        Service-Type = Framed-User,
        Tunnel-Medium-Type = "802",
        Tunnel-Type = "VLAN",
        Tunnel-Private-Group-Id = "GRE"
IOS Version 12.2(44)SE6
As you see, it's a pretty standard configuration and although the authentication itself works, the dynamic VLAN assignment doesn't.
Any ideas on what might solve the problem?
I have this problem too.
0 votes
Correct Answer by Javier Henderson about 6 years 5 months ago

Add the following to your configuration and test again:

aaa authorization network default group radius

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Javier Henderson Tue, 07/27/2010 - 08:51

Add the following to your configuration and test again:

aaa authorization network default group radius

incotexbg Wed, 07/28/2010 - 01:11

Thank you very much for pointing that out!   We have it working finally!

For anyone reading and searching the net on this topic, here's what works for me:

The FreeRADIUS Server is mostly with its default settings, apart from the things you have to change in order for mschapv2 authentication to work and this:

eap.conf -> copy_request_to_tunnel = yes

clients.conf -> client 10.2.1.4 {

                                                secret = somesecret

                                                shortname = blah_blah

                                                nastype = cisco

                                           }

users ->         user   Cleartext-Password := "pass"

                                 Service-Type = Framed-User,

                                 Tunnel-Medium-Type = "IEEE-802",

                                 Tunnel-Type = "VLAN",

                                 Tunnel-Private-Group-Id = 2

For the 'Tunnel-Private-Group-Id' attribute you can supply either the number of the VLAN or its NAME. It's case-sensitive and be sure to add the VLAN     manually (or via VTP) to the switch before attempting dynamic assignment. The Tunnel-Medium-Type I use IEEE-802. Just "802" does not work, contrary to some internet articles.

For the IOS c2960-lanbasek9-mz.122-44.SE6, I use the following info:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1025133

all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.

For the IOS c2960-lanbasek9-mz.122-53.SE2 I use this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_53_se/configuration/guide/sw8021x.html#wp1025133

all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.

Thanks again and happy networking!!

Actions

This Discussion