https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587775#M806823 <HTML><HEAD></HEAD><BODY><P>We have the same problem. Today I post the same question. </P><P></P><P>How did you resolve this problem? </P><P></P><P>Thanks and regards</P></BODY></HTML> Mon, 11 Dec 2006 22:42:20 GMT mmoranzo 2006-12-11T22:42:20Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587769#M806817 <P>Using CTA 2.0 with supplicant I've got posture validation to work fine. The client connects to the switchport, posture validation is done and "healthy" pops up on the client. The switchport however is not assigned to the right VLAN. The port gets member in VLAN 1. I've checked and double checked everything but I don't understand why it is not working. I've created RACs on ACS4 and they get applied to the client. The RACs have all have attribute 81 defined, but its is somehow not coming down to the client. When debugging dot1x events in the switch I can't see it coming either while the port does get authenticated and is "healthy". Looking in the ACS passed authentications log it says clearly the RAC has been applied.</P><P></P><P>Does anybody have a clue what I am missing here?</P><P></P><P>A wild guess I had was that maye the switch I am connecting the client to needs to be a vtp server?</P><P></P><P>Kind regards,</P><P>Rutger </P> Fri, 21 Feb 2020 08:48:25 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587769#M806817 Rutger Blom 2020-02-21T08:48:25Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587770#M806818 <HTML><HEAD></HEAD><BODY><P>Rutger,</P><P></P><P>debug the radius process. you need to make sure that you have the following command in order to get the vlan assignment to the switch: </P><P>aaa authorization network default group radius</P><P></P><P>take care,</P><P>Adam</P><P></P></BODY></HTML> Wed, 29 Mar 2006 18:09:46 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587770#M806818 abz 2006-03-29T18:09:46Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587771#M806819 <HTML><HEAD></HEAD><BODY><P>You could also try setting ACS logging to MAX then looking in the CSRadius log file (CSRadius/Logs/RDS.log) to make sure ACS is actually sending the correct attributes.</P><P></P><P>RAC content can be overriden dynamically and this can cause confusion.</P><P></P><P>Darran</P></BODY></HTML> Wed, 29 Mar 2006 21:38:29 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587771#M806819 darpotter 2006-03-29T21:38:29Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587772#M806820 <HTML><HEAD></HEAD><BODY><P>This is what the radius debug on the switch gives me:</P><P></P><P>015300: .Mar 31 12:21:32: RADIUS: EAP-login: length of eap packet = 4</P><P>015301: .Mar 31 12:21:32: RADIUS: Tunnel-MType, [01] 00 00 06</P><P>015302: .Mar 31 12:21:32: RADIUS: TAS(1) created and enqueued.</P><P>015303: .Mar 31 12:21:32: RADIUS: Tunnel-GID, [01] public</P><P>015304: .Mar 31 12:21:32: RADIUS: Tunnel-Type, [01] 00 00 0D</P><P>015305: .Mar 31 12:21:32: RADIUS: cisco AVPair ":posture-token=Healthy"</P><P>015306: .Mar 31 12:21:32: RADIUS: unrecognized Microsoft VSA type 16</P><P>015307: .Mar 31 12:21:32: RADIUS: unrecognized Microsoft VSA type 17</P><P>015308: .Mar 31 12:21:32: RADIUS: TAS(1) takes precedence over tagged attributes, tunnel_type=13</P><P>015309: .Mar 31 12:21:32: RADIUS: free TAS(1)</P><P>015310: .Mar 31 12:21:32: RADIUS: no appropriate authorization type for user.</P><P>015311: .Mar 31 12:21:32: RADIUS: ustruct sharecount=3</P><P>015312: .Mar 31 12:21:32: RADIUS: Sent class "CACS:a/f5a8/aff004c/anonymous" at 80DFD7BF from user 80E61F58</P><P></P><P>Seems to be something wrong with the authorization part?</P><P></P><P>Rutger</P></BODY></HTML> Fri, 31 Mar 2006 12:23:43 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587772#M806820 Rutger Blom 2006-03-31T12:23:43Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587773#M806821 <HTML><HEAD></HEAD><BODY><P>Rutger,</P><P></P><P>what version of IOS are you running on the switch. If you have the aaa authorization command in the config consider upgrading to a more recent version of the IOS. What switching platform are you using?</P><P></P><P>Adam</P></BODY></HTML> Thu, 06 Apr 2006 19:56:22 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587773#M806821 abz 2006-04-06T19:56:22Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587774#M806822 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I'm testing against a 2950-48 switch with IOS 12.1(22)EA7.</P><P>The aaa config in the switch looks like this:</P><P></P><P>Global:</P><P>aaa group server radius acs_radius</P><P> server 192.168.1.10 auth-port 1812 acct-port 1813</P><P></P><P>aaa authentication dot1x default group acs_radius</P><P>aaa authorization network default group radius if-authenticated</P><P>aaa accounting dot1x default start-stop group acs_radius</P><P>dot1x system-auth-control</P><P></P><P>radius-server host 192.168.1.10 auth-port 1812 acct-port 1813 key xxxx</P><P></P><P>Interface:</P><P>interface FastEthernet0/25</P><P> switchport mode access</P><P> no logging event link-status</P><P> no snmp trap link-status</P><P> dot1x port-control auto</P><P> dot1x timeout reauth-period server</P><P> dot1x reauthentication</P><P> spanning-tree portfast</P><P>end</P><P></P><P></P></BODY></HTML> Fri, 07 Apr 2006 05:53:03 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587774#M806822 Rutger Blom 2006-04-07T05:53:03Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587775#M806823 <HTML><HEAD></HEAD><BODY><P>We have the same problem. Today I post the same question. </P><P></P><P>How did you resolve this problem? </P><P></P><P>Thanks and regards</P></BODY></HTML> Mon, 11 Dec 2006 22:42:20 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587775#M806823 mmoranzo 2006-12-11T22:42:20Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587776#M806824 <HTML><HEAD></HEAD><BODY><P>I change the IOS and all work fine. The IOS must have the feature "NAC - L2 IEEE 802.1x". </P><P></P></BODY></HTML> Tue, 12 Dec 2006 13:17:48 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587776#M806824 mmoranzo 2006-12-12T13:17:48Z https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587777#M806825 <HTML><HEAD></HEAD><BODY><P>Good news! What version of IOS are you running?</P><P></P><P>Regards,</P><P>Rutger</P></BODY></HTML> Tue, 12 Dec 2006 19:54:49 GMT https://community.cisco.com/t5/network-security/nac-l2-802-1x-vlan-assignment/m-p/587777#M806825 Rutger Blom 2006-12-12T19:54:49Z