Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x with vlan assignment

Hello,

I am trying to setup 802.1x with VLAN assignment. I have sucessfully gotten authentication to work, but the VLAN assigment does not get applied. I have tried this on a CE500, and a WS2950-12 both experiance the same problem.

If I "debug dot1x all" I get some messages about "dot1x-ev:Received VLAN Id -1", if I packet capture on my radius server I can see that the correct attribute pairs are going out. Nothing in the notes say that 802.1x with dynamic VLANs wont work.

Attribute Value Pairs

AVP: l=6 t=Framed-Protocol(7): PPP(1)

AVP: l=6 t=Service-Type(6): Framed-User(2)

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

AVP: l=6 t=EAP-Message(79) Last Segment[1]

AVP: l=46 t=Class(25): 53F9068C00000137000102000A011E630000000000000000...

AVP: l=14 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=51 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=58 t=Vendor-Specific(26) v=Microsoft(311)

AVP: l=18 t=Message-Authenticator(80): 33B53112C51B15C40BFBDCE687F4C9C4

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 802.1x with vlan assignment

Please check if all 3 of these attributes are set correctly on the Radius server:

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

It seems like only the Tunnel-Private-Group-Id is set, not the other two.

cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

2 REPLIES
Cisco Employee

Re: 802.1x with vlan assignment

Please check if all 3 of these attributes are set correctly on the Radius server:

AVP: l=6 t=Tunnel-Medium-Type(65): Unknown(16777222)

AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

AVP: l=6 t=Tunnel-Type(64): Unknown(16777229)

It seems like only the Tunnel-Private-Group-Id is set, not the other two.

cfr. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

New Member

Re: 802.1x with vlan assignment

I was finally able to make vlan assignment work on the WS2950-12, but it still does not work on the CE500.

Running "debug dot1x all" on the CE500 web CLI does not show any logging of ""dot1x-ev:Received VLAN Id -1" like the WS2950-12 did. This leads me to believe that the CE500 does not support 802.1x VLAN assignment even though I cannot find any documentation saying that.

306
Views
0
Helpful
2
Replies
CreatePlease to create content