07-27-2010 05:32 AM - edited 03-10-2019 05:17 PM
Hello, everyone!
I have a problem with dynamic VLAN assignment. The setup is basically the following:
Host - Switch - RADIUS Server
I have no problem authenticating, messages get through without any problems.
The thing is the switch doesn't seem to notice the additional info the RADIUS server provides, e.g. the [64] Tunnel-Type, [65] Tunnel-Medium-Type, and [81] Tunnel-Private-Group-ID.
Here is my sw configuration and some radius configuration
Current configuration : 1795 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
!
!
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
!
interface GigabitEthernet0/3
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
!
interface Vlan1
ip address 10.2.1.4 255.255.255.0
no ip route-cache
!
ip http server
ip http secure-server
radius-server host 10.2.1.2 auth-port 1812 acct-port 1813
radius-server key testing123
!
control-plane
!
!
!
end
The VLANs are:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
2 MAN active
3 GRE active
4 BLU active
13 GUEST active
99 NATVIE active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Solved! Go to Solution.
07-27-2010 08:51 AM
Add the following to your configuration and test again:
aaa authorization network default group radius
07-27-2010 08:51 AM
Add the following to your configuration and test again:
aaa authorization network default group radius
07-28-2010 01:11 AM
Thank you very much for pointing that out! We have it working finally!
For anyone reading and searching the net on this topic, here's what works for me:
The FreeRADIUS Server is mostly with its default settings, apart from the things you have to change in order for mschapv2 authentication to work and this:
eap.conf -> copy_request_to_tunnel = yes
clients.conf -> client 10.2.1.4 {
secret = somesecret
shortname = blah_blah
nastype = cisco
}
users -> user Cleartext-Password := "pass"
Service-Type = Framed-User,
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Type = "VLAN",
Tunnel-Private-Group-Id = 2
For the 'Tunnel-Private-Group-Id' attribute you can supply either the number of the VLAN or its NAME. It's case-sensitive and be sure to add the VLAN manually (or via VTP) to the switch before attempting dynamic assignment. The Tunnel-Medium-Type I use IEEE-802. Just "802" does not work, contrary to some internet articles.
For the IOS c2960-lanbasek9-mz.122-44.SE6, I use the following info:
all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.
For the IOS c2960-lanbasek9-mz.122-53.SE2 I use this:
all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.
Thanks again and happy networking!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: