07-27-2010 05:32 AM - edited 03-10-2019 05:17 PM
Hello, everyone!
I have a problem with dynamic VLAN assignment. The setup is basically the following:
Host - Switch - RADIUS Server
I have no problem authenticating, messages get through without any problems.
The thing is the switch doesn't seem to notice the additional info the RADIUS server provides, e.g. the [64] Tunnel-Type, [65] Tunnel-Medium-Type, and [81] Tunnel-Private-Group-ID.
Here is my sw configuration and some radius configuration
Current configuration : 1795 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication dot1x default group radius
!
!
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
dot1x system-auth-control
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
!
interface GigabitEthernet0/3
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
!
interface Vlan1
ip address 10.2.1.4 255.255.255.0
no ip route-cache
!
ip http server
ip http secure-server
radius-server host 10.2.1.2 auth-port 1812 acct-port 1813
radius-server key testing123
!
control-plane
!
!
!
end
The VLANs are:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
2 MAN active
3 GRE active
4 BLU active
13 GUEST active
99 NATVIE active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Solved! Go to Solution.
07-27-2010 08:51 AM
Add the following to your configuration and test again:
aaa authorization network default group radius
07-27-2010 08:51 AM
Add the following to your configuration and test again:
aaa authorization network default group radius
07-28-2010 01:11 AM
Thank you very much for pointing that out! We have it working finally!
For anyone reading and searching the net on this topic, here's what works for me:
The FreeRADIUS Server is mostly with its default settings, apart from the things you have to change in order for mschapv2 authentication to work and this:
eap.conf -> copy_request_to_tunnel = yes
clients.conf -> client 10.2.1.4 {
secret = somesecret
shortname = blah_blah
nastype = cisco
}
users -> user Cleartext-Password := "pass"
Service-Type = Framed-User,
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Type = "VLAN",
Tunnel-Private-Group-Id = 2
For the 'Tunnel-Private-Group-Id' attribute you can supply either the number of the VLAN or its NAME. It's case-sensitive and be sure to add the VLAN manually (or via VTP) to the switch before attempting dynamic assignment. The Tunnel-Medium-Type I use IEEE-802. Just "802" does not work, contrary to some internet articles.
For the IOS c2960-lanbasek9-mz.122-44.SE6, I use the following info:
all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.
For the IOS c2960-lanbasek9-mz.122-53.SE2 I use this:
all the way down to 'Configuring the Host Mode'. I had to enable the VSA functions or whatever it is with the radius-server vsa send authentication.
Thanks again and happy networking!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide