Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2308
Views
0
Helpful
6
Replies

Dynamic VLAN assignment for MAB and Microsoft NPS

SASANAbdolahi85822
Beginner
Beginner

‎12-24-2020 03:56 AM

I have a WS-C2960CX-8PC-L  running  IOS 15.2(4)E2 with dot1.x, and MAB authentication schema enabled.

Were trying to get MAB working with Microsoft NPS, and the NPS part looks good in the logs - the MAC-address is looked up, the authorization profile is correct. But on the switch I get the following:


Dec 24 18:35:46: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 24 18:35:46: RADIUS(00000000): Config NAS IP: 0.0.0.0
Dec 24 18:35:46: RADIUS(00000000): Config NAS IPv6: ::
Dec 24 18:35:46: RADIUS(00000000): sending
Dec 24 18:35:46: RADIUS/ENCODE: Best Local IP-Address 192.168.14.250 for Radius-Server 192.168.1.23
Dec 24 18:35:46: RADIUS(00000000): Send Access-Request to 192.168.1.23:1812 id 1645/93, len 264
Dec 24 18:35:46: RADIUS: authenticator 4D D3 2E AA 74 0B 3F 94 - B5 AB B5 B8 A2 2B 8D 90
Dec 24 18:35:46: RADIUS: User-Name [1] 14 "0017fcfbed38"
Dec 24 18:35:46: RADIUS: User-Password [2] 18 *
Dec 24 18:35:46: RADIUS: Service-Type [6] 6 Call Check [10]
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 31
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Dec 24 18:35:46: RADIUS: Framed-MTU [12] 6 1500
Dec 24 18:35:46: RADIUS: Called-Station-Id [30] 19 "00-5F-86-55-39-87"
Dec 24 18:35:46: RADIUS: Calling-Station-Id [31] 19 "00-17-FC-FB-ED-38"
Dec 24 18:35:46: RADIUS: Message-Authenticato[80] 18
Dec 24 18:35:46: RADIUS: F5 9B EA 5F F4 B9 27 70 2A 5B BB 39 E7 A1 48 24 [ _'p*[9H$]
Dec 24 18:35:46: RADIUS: EAP-Key-Name [102] 2 *
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 49
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1E0EFA0000000C0001732A"
Dec 24 18:35:46: RADIUS: Vendor, Cisco [26] 18
Dec 24 18:35:46: RADIUS: Cisco AVpair [1] 12 "method=mab"
Dec 24 18:35:46: RADIUS: Framed-IP-Address [8] 6 192.168.15.5
Dec 24 18:35:46: RADIUS: NAS-IP-Address [4] 6 192.168.14.250
Dec 24 18:35:46: RADIUS: NAS-Port-Id [87] 20 "GigabitEthernet0/7"
Dec 24 18:35:46: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Dec 24 18:35:46: RADIUS: NAS-Port [5] 6 50107
Dec 24 18:35:46: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 24 18:35:46: RADIUS(00000000): Started 5 sec timeout
Dec 24 18:35:46: RADIUS: Received from id 1645/93 192.168.1.23:1812, Access-Accept, len 89
Dec 24 18:35:46: RADIUS: authenticator 14 19 9B 6F C7 C7 00 12 - 95 19 FA 84 14 8E C6 69
Dec 24 18:35:46: RADIUS: Service-Type [6] 6 Framed [2]
Dec 24 18:35:46: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Dec 24 18:35:46: RADIUS: Ascend-Auth-Type [81] 5 858796096
Dec 24 18:35:46: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Dec 24 18:35:46: RADIUS: Class [25] 46
Dec 24 18:35:46: RADIUS: A3 65 09 45 00 00 01 37 00 01 02 00 AC 1F 01 17 00 00 00 00 C4 9E 0B E7 3F 40 F0 06 01 D6 CF 4F F5 55 12 51 00 00 00 00 00 00 00 BB [ eE7?@OUQ]
Dec 24 18:35:46: RADIUS(00000000): Received from id 1645/93
Dec 24 18:35:46: RADIUS: unsupported value 858796096 in attribute 81
Dec 24 18:35:46: RADIUS/DECODE: Ascend auth type; FAIL
Dec 24 18:35:46: RADIUS/DECODE: decoder; FAIL
Dec 24 18:35:46: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL
Dec 24 18:35:46: RADIUS/DECODE: parse response op decode; FAIL
Dec 24 18:35:46: %MAB-5-FAIL: Authentication failed for client (0017.fcfb.ed38) on Interface Gi0/7 AuditSessionID AC1E0EFA0000000C0001732A

 

It recognizes the attributes 64 and 65, but the Tunnel-private-group-id that contains the actual VLAN number is unsupported.

Radius attribute 81 is "Tunnel-private-group-id" but in my cisco switch it is "Ascend-Auth-Type".

the other cisco switches work correctly.

Labels:
0 Helpful
6 Replies 6

balaji.bandi
VIP
VIP

‎12-24-2020 04:05 AM - edited ‎12-24-2020 04:06 AM