Re: 802.1x VLAN assignment + Microsoft IAS

BABARCHE · ‎04-15-2003

Hello,

Here is what I am tring to do:

a Windows XP client is authenticating via 802.1x to a cisco switch. The switch "talks" to a IAS radius serveur (microsoft). That works fine, the user can login and the port opens up. Cisco developed a feature in a recent software release whereby the radius server can also tell the switch what VLAN to place the freshly-authenticated port in (that's the part I can't get to work - the fact that I am totally new to Radius probably doesn't help either). I know that the switch expects the following parameters within the Access-accept:

a) Tunnel-Type(#64)=VLAN (13)

b) Tunnel-Medium-Type(#65)=802 (6)

c) Tunnel-Private-Group-ID(#81)=VLANID

How Can I define these parameters in IAS ? I tried severals things but know one worked. If someone has experience, please let me know .... Thanx !

Bastien

hadbou · ‎04-22-2003

Check if the tag field for tunnel attribute is set to 1 instead of the default value of 0 in the Microsoft IAS server.

BABARCHE · ‎04-22-2003

thanx for your answer.

Thanx for your answer.

I tried that but I think I made mistakes because it

doesn't work.

What I need to know is what I have to enter precisely :

- Which kind of attribute ? Cisco AVPAIR or radius vendor

specific attribute or something else ?

- Which value in the field : Tunnel-Type(#64) or just 64

or just Tunnel-Type or just #64 or 13 ?

- Which value in the field atttribute format ? string,

decimal or hexadecimal ?

Thanx very much !!

BABARCHE · ‎04-22-2003

ok ! forget my previous mail.

I found how to define the attributes in IAS.

But it stills not working. I don't found where I can change this flag you're talking about. Could you help me ?

Thanx ...

fbarook · ‎04-23-2003

I also had a similair problem, I was using a steel belt radius. I changed the

ACS radius flag and it worked for me.

BABARCHE · ‎04-24-2003

Ok ... Thanx ... I still do not find where to change this flag in IAS ....

Could you send me your switch configuration which work fine for VLAN assignment with 802.1x. It could help to see if I didn't make any error in mine.

Thanx very much !

Bastien

BABARCHE · ‎04-29-2003

Sorry, It works !

I just made a stupid mistake. I forgot the command "aaa authorization network default group radius".

No need to change a flage or something like that. IAS works fine. But it's not very easy to manage groups compared to ACS.

So, if you plan to do VLAN assignment with 802.1x, I advise to use CiscoSecure ACS. If you just need to do 802.1x authentication, then IAS is great to !

Bye ...

mschooley · ‎06-26-2003

what did you set the tunnel type value to, I did not see vlan, just vtp?

dengqi · ‎09-11-2003

I'm trying to use Win2003 IAS for 802.1x authentication. But the event log of IAS keeps giving me the error message"A malformed RADIUS message was received from client XXX. The data is the RADIUS message." I have checked that the radius key is correct. Anyone know what the problem is?

peter · ‎12-20-2004

denggi, did you have an luck in resolving this problem? I can get 802.1x working with a Cat3550 and Cisco ACS but when I try using Microsoft IAS I get a similar message to yours.

Any help would be great.

buntschu · ‎10-20-2004

Hi,

We have the same configuration as you, but the IAS Radius reject the authentication request from the NAS (Cat 2959). Could you provide some tips (or printscreen) of your IAS config ? Our config works fine with ACS 3.3 but we would like to migrate it to IAS.

Thanks for your reply !

Francois

andrea.meconi · ‎10-20-2004

Look at http://www.foundrynet.com/solutions/appNotes/8021xportAuth.html#other8021xtested.

A good guide! and remember the command:

aaa authentication dot1x default group radius

Configure IAS as your radius server on switch.

With my 3550 it's work fine!

Andrea.

aarons · ‎03-15-2005

You are using IAS? If so are you using vendor-specific attributes or cisco avpairs?? Anyone in a similar boat?

I cannot get this to work.