Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2632
Views
0
Helpful
6
Replies

Dynamic VLAN assignment for MAB and Microsoft NPS

SASANAbdolahi85822
Level 1
Level 1

ā€Ž12-24-2020 03:56 AM

I have a WS-C2960CX-8PC-L  running  IOS 15.2(4)E2 with dot1.x, and MAB authentication schema enabled.

Were trying to get MAB working with Microsoft NPS, and the NPS part looks good in the logs - the MAC-address is looked up, the authorization profile is correct. But on the switch I get the following:


Dec 24 18:35:46: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 24 18:35:46: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 24 18:35:46: RADIUS(00000000): Config NAS IPv6: ::
Dec 24 18:35:46: RADIUS(00000000): sending
Dec 24 18:35:46: RADIUS/ENCODE: Best Local IP-Address 192.168.14.250 for Radius-Server 192.168.1.23
Dec 24 18:35:46: RADIUS(00000000): Send Access-Request to 192.168.1.23:1812 id 1645/93, len 264
Dec 24 18:35:46: RADIUS: authenticator 4D D3 2E AA 74 0B 3F 94 - B5 AB B5 B8 A2 2B 8D 90
Dec 24 18:35:46: RADIUS: User-Name [1] 14 "0017fcfbed38"
Dec 24 18:35:46: RADIUS: User-Password [2] 18 *
Dec 24 18:35:46: RADIUS: Service-Type [6] 6 Call Check [10]
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 31
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Dec 24 18:35:46: RADIUS: Framed-MTU [12] 6 1500
Dec 24 18:35:46: RADIUS: Called-Station-Id [30] 19 "00-5F-86-55-39-87"
Dec 24 18:35:46: RADIUS: Calling-Station-Id [31] 19 "00-17-FC-FB-ED-38"
Dec 24 18:35:46: RADIUS: Message-Authenticato[80] 18
Dec 24 18:35:46: RADIUS: F5 9B EA 5F F4 B9 27 70 2A 5B BB 39 E7 A1 48 24 [ _'p*[9H$]
Dec 24 18:35:46: RADIUS: EAP-Key-Name [102] 2 *
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 49
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1E0EFA0000000C0001732A"
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 18
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 12 "method=mab"
Dec 24 18:35:46: RADIUS: Framed-IP-Address [8] 6 192.168.15.5
Dec 24 18:35:46: RADIUS: NAS-IP-Address [4] 6 192.168.14.250
Dec 24 18:35:46: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/7"
Dec 24 18:35:46: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Dec 24 18:35:46: RADIUS: NAS-Port [5] 6 50107
Dec 24 18:35:46: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 24 18:35:46: RADIUS(00000000): Started 5 sec timeout
Dec 24 18:35:46: RADIUS: Received from id 1645/93 192.168.1.23:1812, Access-Accept, len 89
Dec 24 18:35:46: RADIUS: authenticator 14 19 9B 6F C7 C7 00 12 - 95 19 FA 84 14 8E C6 69
Dec 24 18:35:46: RADIUS: Service-Type [6] 6 Framed [2]
Dec 24 18:35:46: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Dec 24 18:35:46: RADIUS: Ascend-Auth-Type [81] 5 858796096
Dec 24 18:35:46: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Dec 24 18:35:46: RADIUS: Class [25] 46
Dec 24 18:35:46: RADIUS: A3 65 09 45 00 00 01 37 00 01 02 00 AC 1F 01 17 00 00 00 00 C4 9E 0B E7 3F 40 F0 06 01 D6 CF 4F F5 55 12 51 00 00 00 00 00 00 00 BB [ eE7?@OUQ]
Dec 24 18:35:46: RADIUS(00000000): Received from id 1645/93
Dec 24 18:35:46: RADIUS: unsupported value 858796096 in attribute 81
Dec 24 18:35:46: RADIUS/DECODE: Ascend auth type; FAIL
Dec 24 18:35:46: RADIUS/DECODE: decoder; FAIL
Dec 24 18:35:46: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL
Dec 24 18:35:46: RADIUS/DECODE: parse response op decode; FAIL
Dec 24 18:35:46: %MAB-5-FAIL: Authentication failed for client (0017.fcfb.ed38) on Interface Gi0/7 AuditSessionID AC1E0EFA0000000C0001732A

 

It recognizes the attributes 64 and 65, but the Tunnel-private-group-id that contains the actual VLAN number is unsupported.

Radius attribute 81 is "Tunnel-private-group-id" but in my cisco switch it is "Ascend-Auth-Type".

the other cisco switches work correctly.

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž12-24-2020 04:05 AM - edited ā€Ž12-24-2020 04:06 AM

Not sure how is your switch config : worth checking this BLOG :

 

https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/

 

community thread also can help you :

 

https://community.cisco.com/t5/switching/dynamic-vlan-assignment-in-wired-network-nps-2012-server/m-p/3349130

 

Still has issue provide the config of the switch,.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

SASANAbdolahi85822
Level 1
Level 1
In response to balaji.bandi

ā€Ž12-24-2020 04:24 AM - edited ā€Ž12-24-2020 04:27 AM

my config is correct and all the other switches work perfect. but this switch is acting up.

here is my switch configuration:


MY_Switch#sho run
Building configuration...

version 15.2
no service pad
service password-encryption
!

aaa group server radius SERVERS-GROUP
server name NPS_PRIMARY
!
aaa authentication login ADMIN-LOGIN group AAAG-ADMIN local
aaa authentication dot1x default group SERVERS-GROUP
aaa authorization console
aaa authorization exec ADMIN-LOGIN group AAAG-ADMIN local if-authenticated
aaa authorization network default group SERVERS-GROUP
aaa accounting dot1x default start-stop group SERVERS-GROUP
aaa accounting exec default start-stop group AAAG-ADMIN
aaa accounting system default start-stop group AAAG-ADMIN
!
!
!

dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge bpduguard default
spanning-tree extend system-id
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 1800
!
!
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/7
switchport access vlan 40
switchport mode access
switchport voice vlan 200
ip arp inspection limit rate 50
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication timer reauthenticate 60
authentication timer restart 10
authentication timer inactivity 60
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 120
dot1x timeout held-period 20
storm-control broadcast level 15.00
storm-control multicast level 15.00
storm-control unicast level 90.00 65.00
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 50
!
interface GigabitEthernet0/12
description Uplink CoreSwitch
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan250
ip address 192.168.14.250 255.255.255.128
no ip route-cache
!
ip default-gateway 192.168.14.254
ip forward-protocol nd
ip http server
ip http secure-server
!
ip ssh version 2

radius server NPS_PRIMARY
address ipv4 192.168.1.23 auth-port 1812 acct-port 1813
non-standard
key 7 xxxxxxxxxxxxxxxxxxxxxxx
!

 

 

0 Helpful

SASANAbdolahi85822
Level 1
Level 1
In response to balaji.bandi

ā€Ž12-24-2020 04:33 AM

all the other switches are working correct but this switch is acting up.

here is my switch config

 


MY_Switch#sho run
Building configuration...

version 15.2
no service pad
service password-encryption
!

aaa group server radius SERVERS-GROUP
server name NPS_PRIMARY
!
aaa authentication login ADMIN-LOGIN group AAAG-ADMIN local
aaa authentication dot1x default group SERVERS-GROUP
aaa authorization console
aaa authorization exec ADMIN-LOGIN group AAAG-ADMIN local if-authenticated
aaa authorization network default group SERVERS-GROUP
aaa accounting dot1x default start-stop group SERVERS-GROUP
aaa accounting exec default start-stop group AAAG-ADMIN
aaa accounting system default start-stop group AAAG-ADMIN
!
!
!

dot1x system-auth-control
dot1x critical eapol
!
spanning-tree mode rapid-pvst
spanning-tree portfast edge bpduguard default
spanning-tree extend system-id
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery cause small-frame
errdisable recovery interval 1800
!
!
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/7
switchport access vlan 40
switchport mode access
switchport voice vlan 200
ip arp inspection limit rate 50
authentication event fail action next-method
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication timer reauthenticate 60
authentication timer restart 10
authentication timer inactivity 60
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 120
dot1x timeout held-period 20
storm-control broadcast level 15.00
storm-control multicast level 15.00
storm-control unicast level 90.00 65.00
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 50
!
interface GigabitEthernet0/12
description Uplink CoreSwitch
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan250
ip address 192.168.14.250 255.255.255.128
no ip route-cache
!
ip default-gateway 192.168.14.254
ip forward-protocol nd
ip http server
ip http secure-server
!
ip ssh version 2

radius server NPS_PRIMARY
address ipv4 192.168.1.23 auth-port 1812 acct-port 1813
non-standard
key 7 xxxxxxxxxxxxxxxxxxxxxxx
!

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž12-24-2020 04:54 AM

what about other switches working ? what model and what version of code that is ?

 

if that is the case could be bug in "version 15.2" ? any chance to upgrade or degrade and test it ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

SASANAbdolahi85822
Level 1
Level 1
In response to balaji.bandi

ā€Ž12-24-2020 05:16 AM

I have a WS-C2960S-48TS-L running  IOS 12.2(55)SE3 and it is ok

 

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž12-25-2020 06:44 PM

authentication order mab dot1x
authentication priority dot1x mab<- change this to priority mab dot1x 

if the some client is support only mab and other support dot1x.

0 Helpful
Customers Also Viewed These Support Documents