Here is what I am tring to do:
a Windows XP client is authenticating via 802.1x to a cisco switch. The switch "talks" to a IAS radius serveur (microsoft). That works fine, the user can login and the port opens up. Cisco developed a feature in a recent software release whereby the radius server can also tell the switch what VLAN to place the freshly-authenticated port in (that's the part I can't get to work - the fact that I am totally new to Radius probably doesn't help either). I know that the switch expects the following parameters within the Access-accept:
a) Tunnel-Type(#64)=VLAN (13)
b) Tunnel-Medium-Type(#65)=802 (6)
How Can I define these parameters in IAS ? I tried severals things but know one worked. If someone has experience, please let me know .... Thanx !
thanx for your answer.
Thanx for your answer.
I tried that but I think I made mistakes because it
What I need to know is what I have to enter precisely :
- Which kind of attribute ? Cisco AVPAIR or radius vendor
specific attribute or something else ?
- Which value in the field : Tunnel-Type(#64) or just 64
or just Tunnel-Type or just #64 or 13 ?
- Which value in the field atttribute format ? string,
decimal or hexadecimal ?
Thanx very much !!
ok ! forget my previous mail.
I found how to define the attributes in IAS.
But it stills not working. I don't found where I can change this flag you're talking about. Could you help me ?
Ok ... Thanx ... I still do not find where to change this flag in IAS ....
Could you send me your switch configuration which work fine for VLAN assignment with 802.1x. It could help to see if I didn't make any error in mine.
Thanx very much !
Sorry, It works !
I just made a stupid mistake. I forgot the command "aaa authorization network default group radius".
No need to change a flage or something like that. IAS works fine. But it's not very easy to manage groups compared to ACS.
So, if you plan to do VLAN assignment with 802.1x, I advise to use CiscoSecure ACS. If you just need to do 802.1x authentication, then IAS is great to !
I'm trying to use Win2003 IAS for 802.1x authentication. But the event log of IAS keeps giving me the error message"A malformed RADIUS message was received from client XXX. The data is the RADIUS message." I have checked that the radius key is correct. Anyone know what the problem is?
denggi, did you have an luck in resolving this problem? I can get 802.1x working with a Cat3550 and Cisco ACS but when I try using Microsoft IAS I get a similar message to yours.
Any help would be great.
We have the same configuration as you, but the IAS Radius reject the authentication request from the NAS (Cat 2959). Could you provide some tips (or printscreen) of your IAS config ? Our config works fine with ACS 3.3 but we would like to migrate it to IAS.
Thanks for your reply !
A good guide! and remember the command:
aaa authentication dot1x default group radius
Configure IAS as your radius server on switch.
With my 3550 it's work fine!
You are using IAS? If so are you using vendor-specific attributes or cisco avpairs?? Anyone in a similar boat?
I cannot get this to work.