03-29-2006 05:36 AM - edited 02-21-2020 12:48 AM
Using CTA 2.0 with supplicant I've got posture validation to work fine. The client connects to the switchport, posture validation is done and "healthy" pops up on the client. The switchport however is not assigned to the right VLAN. The port gets member in VLAN 1. I've checked and double checked everything but I don't understand why it is not working. I've created RACs on ACS4 and they get applied to the client. The RACs have all have attribute 81 defined, but its is somehow not coming down to the client. When debugging dot1x events in the switch I can't see it coming either while the port does get authenticated and is "healthy". Looking in the ACS passed authentications log it says clearly the RAC has been applied.
Does anybody have a clue what I am missing here?
A wild guess I had was that maye the switch I am connecting the client to needs to be a vtp server?
Kind regards,
Rutger
03-29-2006 10:09 AM
Rutger,
debug the radius process. you need to make sure that you have the following command in order to get the vlan assignment to the switch:
aaa authorization network default group radius
take care,
Adam
03-29-2006 01:38 PM
You could also try setting ACS logging to MAX then looking in the CSRadius log file (CSRadius/Logs/RDS.log) to make sure ACS is actually sending the correct attributes.
RAC content can be overriden dynamically and this can cause confusion.
Darran
03-31-2006 04:23 AM
This is what the radius debug on the switch gives me:
015300: .Mar 31 12:21:32: RADIUS: EAP-login: length of eap packet = 4
015301: .Mar 31 12:21:32: RADIUS: Tunnel-MType, [01] 00 00 06
015302: .Mar 31 12:21:32: RADIUS: TAS(1) created and enqueued.
015303: .Mar 31 12:21:32: RADIUS: Tunnel-GID, [01] public
015304: .Mar 31 12:21:32: RADIUS: Tunnel-Type, [01] 00 00 0D
015305: .Mar 31 12:21:32: RADIUS: cisco AVPair ":posture-token=Healthy"
015306: .Mar 31 12:21:32: RADIUS: unrecognized Microsoft VSA type 16
015307: .Mar 31 12:21:32: RADIUS: unrecognized Microsoft VSA type 17
015308: .Mar 31 12:21:32: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=13
015309: .Mar 31 12:21:32: RADIUS: free TAS(1)
015310: .Mar 31 12:21:32: RADIUS: no appropriate authorization type for user.
015311: .Mar 31 12:21:32: RADIUS: ustruct sharecount=3
015312: .Mar 31 12:21:32: RADIUS: Sent class "CACS:a/f5a8/aff004c/anonymous" at 80DFD7BF from user 80E61F58
Seems to be something wrong with the authorization part?
Rutger
04-06-2006 12:56 PM
Rutger,
what version of IOS are you running on the switch. If you have the aaa authorization command in the config consider upgrading to a more recent version of the IOS. What switching platform are you using?
Adam
04-06-2006 10:53 PM
Hello,
I'm testing against a 2950-48 switch with IOS 12.1(22)EA7.
The aaa config in the switch looks like this:
Global:
aaa group server radius acs_radius
server 192.168.1.10 auth-port 1812 acct-port 1813
aaa authentication dot1x default group acs_radius
aaa authorization network default group radius if-authenticated
aaa accounting dot1x default start-stop group acs_radius
dot1x system-auth-control
radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key xxxx
Interface:
interface FastEthernet0/25
switchport mode access
no logging event link-status
no snmp trap link-status
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
spanning-tree portfast
end
12-11-2006 02:42 PM
We have the same problem. Today I post the same question.
How did you resolve this problem?
Thanks and regards
12-12-2006 05:17 AM
I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".
12-12-2006 11:54 AM
Good news! What version of IOS are you running?
Regards,
Rutger
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide