topic Re: NAC - NPS + 9200 switches and Dynamic VLAN assigment in Network Access Control

NAC - NPS + 9200 switches and Dynamic VLAN assigment

IPhoneRZ — Tue, 21 Jun 2022 09:31:26 GMT

hello

I read many tutorials how to configure NPS + IOS for dynamic VLAN assignment, but all of these tutorials are how to authorize and assign VLAN based on user Group in AD.

But I would like to assign VLAN based on PC in AD PC Group.

1.Is tis possible 🙂 ??

If yes, this is my log

*Jun 21 08:32:20.861: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/40, changed state to down
*Jun 21 08:32:28.834: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (b445.064d.6b4a) with reason (Cred Fail) on Interface Gi1/0/40 AuditSessionID 83AD2C0A000000148564408D Username: host/PC-049.testdoamin.com
*Jun 21 08:32:28.834: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (b445.064d.6b4a) on Interface GigabitEthernet1/0/40 AuditSessionID 83AD2C0A000000148564408D. Failure reason: Authc fail. Authc failure reason: Cred Fail.
*Jun 21 08:32:30.765: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/40, changed state to up
*Jun 21 08:32:31.765: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/40, changed state to up

in NPS I have policy defined

On PC network card there is dot1x enabled and PEAP selected

Thanks

Re: NAC - NPS + 9200 switches and Dynamic VLAN assigment

IPhoneRZ — Tue, 21 Jun 2022 09:39:09 GMT

sorry,

I forgot to put Cisco config

aaa new-model
radius server NPS
address ipv4 10.184.35.11 auth-port 1812 acct-port 1813
key .........

aaa group server radius RADIUS_TEST
server name NPS

no aaa authentication login default local
aaa authentication dot1x default group RADIUS_TEST
aaa authorization network default group RADIUS_TEST if-authenticated

dot1x system-auth-control
dot1x guest-vlan supplicant

int gig1/0/40
switchport mode access
dot1x port-control auto
dot1x pae authenticator
dot1x guest-vlan 99

Re: NAC - NPS + 9200 switches and Dynamic VLAN assigment

balaji.bandi — Tue, 21 Jun 2022 09:45:47 GMT

sessmgrd: Authorization failed or unapplied for client

how is your switch port config on the switch, what version of IOS XE running cat 9200 ?

check this thread may help you :

https://community.cisco.com/t5/switching/802-1x-configure-wired-802-1x-with-nps/td-p/3720361

Re: NAC - NPS + 9200 switches and Dynamic VLAN assigment

IPhoneRZ — Tue, 21 Jun 2022 10:00:45 GMT

hello

Port configuration is

int gig1/0/40
switchport mode access
dot1x port-control auto
dot1x pae authenticator
dot1x guest-vlan 99

SW version is 17.03.04

Thanks

Re: NAC - NPS + 9200 switches and Dynamic VLAN assigment

balaji.bandi — Tue, 21 Jun 2022 10:13:05 GMT

I take this as Wired client testing rigt (not Wireless)

hope you trying 802.1x with Cert authentication not MAB right ?

suggested config :

spanning-tree portfast
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
switchport access vlan XX
switchport mode access
switchport voice vlan XX
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server

Re: NAC - NPS + 9200 switches and Dynamic VLAN assigment

IPhoneRZ — Tue, 21 Jun 2022 10:54:01 GMT

hello

@balaji.bandi , thanks for the link in the first post:) i didn't have Cert enrolled on NPS Server (it's separated server from AD)

I created few more AD groups and VLANs. I added my PC to different groups and i received correct VLAN dynamically - it's working.

One thing left I think , when I removed my PC from any AD group created for VLAN Assigment, i recived authen / authori failed as in the first post - but I would like that guest VLAN will be assign when PC is not in dedicated group, possible ??

BTW

I tried understand Your switch port config, and could You please describe why these command if dynamic vlan assigment ??

switchport access vlan XX
...
switchport voice vlan XX

and lite describe purpose of these command 🙂

access-session closed
authentication periodic
authentication timer reauthenticate server

Thanks