My client-pc is connected to a C2950 switch that is configured for 802.1X port authentication. The C2950 switch forwards the pc authetication request to a Cisco ACS Radius server version 3.2.
Which RADIUS attributes need to be set on ACS Radius server to use VLAN assignment and what TAGs do I need to set (0,1 or 2) and what values need to be set for these radius attributes. Up to now I have found the following attributes in the documentation:
I tried these attributes but it doesn't work.
The documentation does not specify the TAGs I should use.
Could someone help me out please??
those are the only 3 attributes needed, make sure dot1x is globally enabled, I can't remember, does the 2950 run ios like code, if so you can use debug aaa authe, debug radius, and debug dot1x all, this will tell you what radius server is passing back for vlan id. Do you need to log onto a domain or run login scripts, if so you're going to have a lot more problems. Are you running peap or md5.
thanks for the reply. The authentication of the user works fine, and I see the RADIUS server passing the VLAN info to the switch. But the debug dot1x output on the switch says: no VLAN.
Do you know the tags and values I have to use on the radius server? Thanks!!
Hello I've successed in that. here is config enough to run it properly:
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization configuration default group radius
dot1x timeout quiet-period 20
switchport mode access
no ip address
dot1x port-control auto
On the ACS in IETF Radius attributes
 tag1 VLAN
 tag1 802
 tag1 11 (note, not vlan name)
It must work
for 81 tag 1, I'm using vlan name adm2, and it works fine, although still having problems with microsoft client and dhcp, should have a patch from microsoft in a couple of weeks.
I have the same problem.I've tried all possible methods to dynamically assign ip address to aaa
clients, but it doesn't want to work. Debugging shows that, ip address assigned either to client itself or to group client belongs to, passed successfully to the switch. What then ?:(
microsoft put out a patch today, I'm going to test it this week, it is supposed to renew ip address after user authenticates.
Mike, I search through Microsoft website but can't find the patch when you mentioned. Can you help to paste out the name and url of the patch? Thanks
just emailed microsoft, they said it isn't being released until tested, but if you contact microsoft support, they can give you the hot fix, or email me at firstname.lastname@example.org
Can U share with me how do U configure your 802.1x step and what should it be configure @ the ACS .
Could U help thanks
anything in particular? ACS is fairly easy, set the 3 attributes that it mentions in all the docs, and use external nt database. If you are using login scripts, roaming profiles, or just about anything that you would use in real network environment, you will need to use active directory, enable machine authentication, add a certificate to the local machine store, add a registry value called Supplicant Mode and set the value to 3, then add the microsoft hotfix. I will post the microsoft article reference number as soon as email starts working
I trunk the cisco 2950 with our core switch so I given the IP as 192.168.188.28, I assign this ip with the key name cisco use it as cisco (ITEF) am I right here
I've a active directory which work fine on my wireless network with EAP-TLS & PEAP. But I cant figure out on 802.1x on point to point setting please advise , which micorsoft patch should I patch