NAC L2 802.1x VLAN assignment

Rutger Blom · ‎03-29-2006

Using CTA 2.0 with supplicant I've got posture validation to work fine. The client connects to the switchport, posture validation is done and "healthy" pops up on the client. The switchport however is not assigned to the right VLAN. The port gets member in VLAN 1. I've checked and double checked everything but I don't understand why it is not working. I've created RACs on ACS4 and they get applied to the client. The RACs have all have attribute 81 defined, but its is somehow not coming down to the client. When debugging dot1x events in the switch I can't see it coming either while the port does get authenticated and is "healthy". Looking in the ACS passed authentications log it says clearly the RAC has been applied.

Does anybody have a clue what I am missing here?

A wild guess I had was that maye the switch I am connecting the client to needs to be a vtp server?

Kind regards,

Rutger

abz · ‎03-29-2006

Rutger,

debug the radius process. you need to make sure that you have the following command in order to get the vlan assignment to the switch:

aaa authorization network default group radius

take care,

Adam

darpotter · ‎03-29-2006

You could also try setting ACS logging to MAX then looking in the CSRadius log file (CSRadius/Logs/RDS.log) to make sure ACS is actually sending the correct attributes.

RAC content can be overriden dynamically and this can cause confusion.

Darran

Rutger Blom · ‎03-31-2006

This is what the radius debug on the switch gives me:

015300: .Mar 31 12:21:32: RADIUS: EAP-login: length of eap packet = 4

015301: .Mar 31 12:21:32: RADIUS: Tunnel-MType, [01] 00 00 06

015302: .Mar 31 12:21:32: RADIUS: TAS(1) created and enqueued.

015303: .Mar 31 12:21:32: RADIUS: Tunnel-GID, [01] public

015304: .Mar 31 12:21:32: RADIUS: Tunnel-Type, [01] 00 00 0D

015305: .Mar 31 12:21:32: RADIUS: cisco AVPair ":posture-token=Healthy"

015306: .Mar 31 12:21:32: RADIUS: unrecognized Microsoft VSA type 16

015307: .Mar 31 12:21:32: RADIUS: unrecognized Microsoft VSA type 17

015308: .Mar 31 12:21:32: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=13

015309: .Mar 31 12:21:32: RADIUS: free TAS(1)

015310: .Mar 31 12:21:32: RADIUS: no appropriate authorization type for user.

015311: .Mar 31 12:21:32: RADIUS: ustruct sharecount=3

015312: .Mar 31 12:21:32: RADIUS: Sent class "CACS:a/f5a8/aff004c/anonymous" at 80DFD7BF from user 80E61F58

Seems to be something wrong with the authorization part?

Rutger

abz · ‎04-06-2006

Rutger,

what version of IOS are you running on the switch. If you have the aaa authorization command in the config consider upgrading to a more recent version of the IOS. What switching platform are you using?

Adam

Rutger Blom · ‎04-06-2006

Hello,

I'm testing against a 2950-48 switch with IOS 12.1(22)EA7.

The aaa config in the switch looks like this:

Global:

aaa group server radius acs_radius

server 192.168.1.10 auth-port 1812 acct-port 1813

aaa authentication dot1x default group acs_radius

aaa authorization network default group radius if-authenticated

aaa accounting dot1x default start-stop group acs_radius

dot1x system-auth-control

radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key xxxx

Interface:

interface FastEthernet0/25

switchport mode access

no logging event link-status

no snmp trap link-status

dot1x port-control auto

dot1x timeout reauth-period server

dot1x reauthentication

spanning-tree portfast

end

mmoranzo · ‎12-11-2006

We have the same problem. Today I post the same question.

How did you resolve this problem?

Thanks and regards

mmoranzo · ‎12-12-2006

I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x".

Rutger Blom · ‎12-12-2006

Good news! What version of IOS are you running?

Regards,

Rutger