04-15-2003 01:03 PM - edited 03-10-2019 07:15 AM
Hello,
Here is what I am tring to do:
a Windows XP client is authenticating via 802.1x to a cisco switch. The switch "talks" to a IAS radius serveur (microsoft). That works fine, the user can login and the port opens up. Cisco developed a feature in a recent software release whereby the radius server can also tell the switch what VLAN to place the freshly-authenticated port in (that's the part I can't get to work - the fact that I am totally new to Radius probably doesn't help either). I know that the switch expects the following parameters within the Access-accept:
a) Tunnel-Type(#64)=VLAN (13)
b) Tunnel-Medium-Type(#65)=802 (6)
c) Tunnel-Private-Group-ID(#81)=VLANID
How Can I define these parameters in IAS ? I tried severals things but know one worked. If someone has experience, please let me know .... Thanx !
Bastien
04-22-2003 07:55 AM
Check if the tag field for tunnel attribute is set to 1 instead of the default value of 0 in the Microsoft IAS server.
04-22-2003 08:27 AM
thanx for your answer.
Thanx for your answer.
I tried that but I think I made mistakes because it
doesn't work.
What I need to know is what I have to enter precisely :
- Which kind of attribute ? Cisco AVPAIR or radius vendor
specific attribute or something else ?
- Which value in the field : Tunnel-Type(#64) or just 64
or just Tunnel-Type or just #64 or 13 ?
- Which value in the field atttribute format ? string,
decimal or hexadecimal ?
Thanx very much !!
04-22-2003 08:55 AM
ok ! forget my previous mail.
I found how to define the attributes in IAS.
But it stills not working. I don't found where I can change this flag you're talking about. Could you help me ?
Thanx ...
04-23-2003 10:16 PM
I also had a similair problem, I was using a steel belt radius. I changed the
ACS radius flag and it worked for me.
04-24-2003 06:59 AM
Ok ... Thanx ... I still do not find where to change this flag in IAS ....
Could you send me your switch configuration which work fine for VLAN assignment with 802.1x. It could help to see if I didn't make any error in mine.
Thanx very much !
Bastien
04-29-2003 06:06 AM
Sorry, It works !
I just made a stupid mistake. I forgot the command "aaa authorization network default group radius".
No need to change a flage or something like that. IAS works fine. But it's not very easy to manage groups compared to ACS.
So, if you plan to do VLAN assignment with 802.1x, I advise to use CiscoSecure ACS. If you just need to do 802.1x authentication, then IAS is great to !
Bye ...
06-26-2003 09:59 AM
what did you set the tunnel type value to, I did not see vlan, just vtp?
09-11-2003 12:36 AM
I'm trying to use Win2003 IAS for 802.1x authentication. But the event log of IAS keeps giving me the error message"A malformed RADIUS message was received from client XXX. The data is the RADIUS message." I have checked that the radius key is correct. Anyone know what the problem is?
12-20-2004 09:52 PM
denggi, did you have an luck in resolving this problem? I can get 802.1x working with a Cat3550 and Cisco ACS but when I try using Microsoft IAS I get a similar message to yours.
Any help would be great.
10-20-2004 12:33 AM
Hi,
We have the same configuration as you, but the IAS Radius reject the authentication request from the NAS (Cat 2959). Could you provide some tips (or printscreen) of your IAS config ? Our config works fine with ACS 3.3 but we would like to migrate it to IAS.
Thanks for your reply !
Francois
10-20-2004 01:51 AM
Look at http://www.foundrynet.com/solutions/appNotes/8021xportAuth.html#other8021xtested.
A good guide! and remember the command:
aaa authentication dot1x default group radius
Configure IAS as your radius server on switch.
With my 3550 it's work fine!
Andrea.
03-15-2005 05:10 AM
You are using IAS? If so are you using vendor-specific attributes or cisco avpairs?? Anyone in a similar boat?
I cannot get this to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide