Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Vendor specific in RADIUS NAP Enforment

   Hi All,

i am testing a lab enviroment to deploy NAP using Windows server 2008 with NAP Role enabled and RADIUS refering to a 3560 Access switch

i can get authorized on my port:

interface FastEthernet0/11

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

spanning-tree portfast


aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa nas port extended

no radius-server attribute nas-port

radius-server host auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 094F471A1A0A3743595F

radius-server vsa send accounting

radius-server vsa send authentication


and this is the network policy i have configured on the NPS server:

and for vendor specific:

i am asking what is exactly the vlaue reqiured to be written in this box?

i typed many values (9, 1, Cisco and finally Cisco-NAS-Port)

i am getting a debug messeges:

ot1x_vlan_assign_authz_fail on interface FastEthernet

dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC

dot1x-ev:dot1x_vlan_assign_authz_fail on interface FastEthernet

dot1x-ev:No reply attributes received from AAA for 001c.2318.7971

Dec  3 22:29:50: dot1x-ev:Sending create new context event to EAP for 001c.2318.7971

.Dec  3 22:29:50: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address

.Dec  3 22:29:50: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.

.Dec  3 22:29:50: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC 001c.2318.7971 on interface FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_vlan_assign_client_deleted for 001c.2318.7971 on interface FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_vlan_assign_client_deleted: Ignoring client 001c.2318.7971 on FastEthernet0/11, domain is data

.Dec  3 22:29:50: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

.Dec  3 22:29:50: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

.Dec  3 22:29:50: dot1x-ev:Created a default authenticator instance on FastEthernet0/11

actaully i am working on this task for 6 days and canot get authenticated, can anyone giude  me through this task ?

#show radius st

                                                Auth.      Acct.       Both
Maximum inQ length:                  NA         NA          1

Maximum waitQ length:              NA         NA          2

Maximum doneQ length:             NA         NA          1

Total responses seen:                 572          0        572

Packets with responses:             572          0        572

Packets without responses:           2          0          2

Average response delay(ms):       15          0         15

Maximum response delay(ms):   1082          0       1082

Number of Radius timeouts:            8          0          8

Duplicate ID detects:                       0          0          0

Buffer Allocation Failures:               0          0          0

Maximum Buffer Size (bytes):       680          0        680

Source Port Range: (2 ports only)

1645 - 1646

Last used Source Port/Identifier:



aadi1-SW-4-24#show dot1x int fa0/11 d

Dot1x Info for FastEthernet0/11


PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = Both

HostMode                  = SINGLE_HOST

ReAuthentication          = Enabled

QuietPeriod               = 60

ServerTimeout             = 30

SuppTimeout               = 30

ReAuthPeriod              = 3600 (Locally configured)

ReAuthMax                 = 2

MaxReq                    = 2

TxPeriod                  = 30

RateLimitPeriod           = 0

Dot1x Authenticator Client List


Domain                    = DATA

Supplicant                = 001c.2318.7971

    Auth SM State         = HELD

    Auth BEND SM State    = IDLE

Port Status               = UNAUTHORIZED

ReAuthPeriod              = 3600

ReAuthAction              = Reauthenticate

TimeToNextReauth          = 0

Authentication Method     = Dot1x


Mahmoud Abd El-Wahed

Everyone's tags (2)

Vendor specific in RADIUS NAP Enforment

sorry for not uploading the images:


Vendor specific in RADIUS NAP Enforment

Hi Mahmoud,

These are your VLAN assignment attributes that you have to use.

They are not vendor specific, they can be found part of the default IETF dictionary.



**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
CreatePlease to create content