Solved: C2960 with RADIUS

incotexbg · ‎07-27-2010

Hello, everyone!

I have a problem with dynamic VLAN assignment. The setup is basically the following:

Host - Switch - RADIUS Server

I have no problem authenticating, messages get through without any problems.

The thing is the switch doesn't seem to notice the additional info the RADIUS server provides, e.g. the [64] Tunnel-Type, [65] Tunnel-Medium-Type, and [81] Tunnel-Private-Group-ID.

Here is my sw configuration and some radius configuration

Current configuration : 1795 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication dot1x default group radius

!

aaa session-id common

system mtu routing 1500

ip subnet-zero

!

dot1x system-auth-control

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/2

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

!

interface GigabitEthernet0/3

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x violation-mode protect

!

interface Vlan1

ip address 10.2.1.4 255.255.255.0

no ip route-cache

!

ip http server

ip http secure-server

radius-server host 10.2.1.2 auth-port 1812 acct-port 1813

radius-server key testing123

!

control-plane

!

end

The VLANs are:

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4

Gi0/5, Gi0/6, Gi0/7, Gi0/8

Gi0/9, Gi0/10, Gi0/11, Gi0/12

Gi0/13, Gi0/14, Gi0/15, Gi0/16

Gi0/17, Gi0/18, Gi0/19, Gi0/20

Gi0/21, Gi0/22, Gi0/23, Gi0/24

2 MAN active

3 GRE active

4 BLU active

13 GUEST active

99 NATVIE active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

The RADIUS user is:

userc Cleartext-Password := "pass3"

Service-Type = Framed-User,

Tunnel-Medium-Type = "802",

Tunnel-Type = "VLAN",

Tunnel-Private-Group-Id = "GRE"

IOS Version 12.2(44)SE6

As you see, it's a pretty standard configuration and although the authentication itself works, the dynamic VLAN assignment doesn't.

Any ideas on what might solve the problem?

Javier Henderson · ‎07-27-2010

Add the following to your configuration and test again:

aaa authorization network default group radius

View solution in original post

Javier Henderson · ‎07-27-2010

Add the following to your configuration and test again:

aaa authorization network default group radius

incotexbg · ‎07-28-2010

Thank you very much for pointing that out! We have it working finally!

For anyone reading and searching the net on this topic, here's what works for me:

The FreeRADIUS Server is mostly with its default settings, apart from the things you have to change in order for mschapv2 authentication to work and this:

eap.conf -> copy_request_to_tunnel = yes

clients.conf -> client 10.2.1.4 {

secret = somesecret

shortname = blah_blah

nastype = cisco

}

users -> user Cleartext-Password := "pass"

Service-Type = Framed-User,

Tunnel-Medium-Type = "IEEE-802",

Tunnel-Type = "VLAN",

Tunnel-Private-Group-Id = 2

For the 'Tunnel-Private-Group-Id' attribute you can supply either the number of the VLAN or its NAME. It's case-sensitive and be sure to add the VLAN manually (or via VTP) to the switch before attempting dynamic assignment. The Tunnel-Medium-Type I use IEEE-802. Just "802" does not work, contrary to some internet articles.

For the IOS c2960-lanbasek9-mz.122-44.SE6, I use the following info:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1025133

all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.

For the IOS c2960-lanbasek9-mz.122-53.SE2 I use this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_53_se/configuration/guide/sw8021x.html#wp1025133

all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.

Thanks again and happy networking!!