Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Configuring 802.1X port-based authentication with VLAN assignment

My client-pc is connected to a C2950 switch that is configured for 802.1X port authentication. The C2950 switch forwards the pc authetication request to a Cisco ACS Radius server version 3.2.

Which RADIUS attributes need to be set on ACS Radius server to use VLAN assignment and what TAGs do I need to set (0,1 or 2) and what values need to be set for these radius attributes. Up to now I have found the following attributes in the documentation:

[64] Tunnel-Type=VLAN

[65] Tunnel-Medium=802

[81] Tunnel-Private-Group-ID=vlan-name

I tried these attributes but it doesn't work.

The documentation does not specify the TAGs I should use.

Could someone help me out please??

Thanks!!

Regards,

Tom

21 REPLIES
Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

those are the only 3 attributes needed, make sure dot1x is globally enabled, I can't remember, does the 2950 run ios like code, if so you can use debug aaa authe, debug radius, and debug dot1x all, this will tell you what radius server is passing back for vlan id. Do you need to log onto a domain or run login scripts, if so you're going to have a lot more problems. Are you running peap or md5.

Re: Configuring 802.1X port-based authentication with VLAN assig

Hi,

thanks for the reply. The authentication of the user works fine, and I see the RADIUS server passing the VLAN info to the switch. But the debug dot1x output on the switch says: no VLAN.

Do you know the tags and values I have to use on the radius server? Thanks!!

Regards,

Tom

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

did you put the correct vlan name, no vlan id, but the actual name.

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

Hello I've successed in that. here is config enough to run it properly:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization configuration default group radius

!

dot1x timeout quiet-period 20

!

!

interface FastEthernet0/2

switchport mode access

no ip address

dot1x port-control auto

spanning-tree portfast

!

On the ACS in IETF Radius attributes

[064] tag1 VLAN

[065] tag1 802

[081] tag1 11 (note, not vlan name)

It must work

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

for 81 tag 1, I'm using vlan name adm2, and it works fine, although still having problems with microsoft client and dhcp, should have a patch from microsoft in a couple of weeks.

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

I have the same problem.I've tried all possible methods to dynamically assign ip address to aaa

clients, but it doesn't want to work. Debugging shows that, ip address assigned either to client itself or to group client belongs to, passed successfully to the switch. What then ?:(

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

microsoft put out a patch today, I'm going to test it this week, it is supposed to renew ip address after user authenticates.

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

Mike, I search through Microsoft website but can't find the patch when you mentioned. Can you help to paste out the name and url of the patch? Thanks

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

just emailed microsoft, they said it isn't being released until tested, but if you contact microsoft support, they can give you the hot fix, or email me at jschooley@csc.com

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

Can U share with me how do U configure your 802.1x step and what should it be configure @ the ACS .

Could U help thanks

Regards

Mc

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

anything in particular? ACS is fairly easy, set the 3 attributes that it mentions in all the docs, and use external nt database. If you are using login scripts, roaming profiles, or just about anything that you would use in real network environment, you will need to use active directory, enable machine authentication, add a certificate to the local machine store, add a registry value called Supplicant Mode and set the value to 3, then add the microsoft hotfix. I will post the microsoft article reference number as soon as email starts working

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

I trunk the cisco 2950 with our core switch so I given the IP as 192.168.188.28, I assign this ip with the key name cisco use it as cisco (ITEF) am I right here

I've a active directory which work fine on my wireless network with EAP-TLS & PEAP. But I cant figure out on 802.1x on point to point setting please advise , which micorsoft patch should I patch

Thanks

Regards

Mc

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

have you set up the AAA commands and the radius server on the switch yet?

Community Member

Re: Configuring 802.1X port-based authentication with VLAN assig

Can U advise Please, which site provide step for me to follow thanks

Regards

MC

656
Views
0
Helpful
21
Replies
CreatePlease to create content