Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3346
Views
0
Helpful
21
Replies

Configuring 802.1X port-based authentication with VLAN assignment

tvanginneken
Level 4
Level 4

‎08-14-2003 07:21 AM - edited ‎03-10-2019 07:26 AM

My client-pc is connected to a C2950 switch that is configured for 802.1X port authentication. The C2950 switch forwards the pc authetication request to a Cisco ACS Radius server version 3.2.

Which RADIUS attributes need to be set on ACS Radius server to use VLAN assignment and what TAGs do I need to set (0,1 or 2) and what values need to be set for these radius attributes. Up to now I have found the following attributes in the documentation:

[64] Tunnel-Type=VLAN

[65] Tunnel-Medium=802

[81] Tunnel-Private-Group-ID=vlan-name

I tried these attributes but it doesn't work.

The documentation does not specify the TAGs I should use.

Could someone help me out please??

Thanks!!

Regards,

Tom

Labels:
0 Helpful
21 Replies 21

mcnaz-yeo
Level 1
Level 1
In response to mschooley

‎09-30-2003 05:59 AM

I 've tried to configure using the following command on the 2950 Cisco Switch

2950# configure terminal

2950(config)#aaa new-model

2950(config)#aaa authentication dot1x default group radius enable

2950(config)#dot1x max-req 3

2950(config)#dot1x timeout quiet-period 0

2950(config)#dot1x timeout re-authperiod 1

2950(config)#radius-server host x.x.x.32 auth-port 1812 acct-port 1813 key 123

2950(config)# interface fastethernet 0/1

2950(config-if)# dot1x port-control auto

2950(config-if)# end

On the ACS I configure as cisco(ITEF) withe the switch IP and key 123

But when I try use peapon XP SP1 0s with the debug I encounter ABORT on the authenication , Can U point out where did I went wrong

Thanks

Regards

Mc

0 Helpful

mschooley
Level 1
Level 1
In response to mcnaz-yeo

‎10-06-2003 06:16 AM

can you post the debug, debug aaa auth, and debug radius

0 Helpful

kalyanccie
Level 1
Level 1
In response to mschooley

‎10-30-2003 12:55 AM

Dear mschooley

i have tried the same configuration, a vlan is dynamically assigned to the dot1x user, as i am able to ping only that particular vlan. An ip is going out from ACS to switch , but then it vanishes.

Any help , greatly appreciated.

regards

kalyan

0 Helpful

dengqi
Level 1
Level 1
In response to mschooley

‎11-11-2003 11:35 PM

Hi Mschooley,

Have you tried Microsoft patch 822596? How is it? I tried this patch but met some problem. The client will ping its default gateway after receiving Authentication sucsessful message from switch. If the client can't ping the gateway, it will do a IP address renew. But I find the switch is a bit slow in switching vlan. When client ping default gate, the vlan is not switched yet. And it causes the client fail to get new IP address. Have you met this kind of situation?

Thanks and Regards

Deng Qi

0 Helpful

mschooley
Level 1
Level 1
In response to dengqi

‎11-18-2003 06:12 AM

just tested with my laptop, worked ok, in the next couple of weeks we are going to implement in larger test environment, will update you then,

0 Helpful

fernando.fortuna
Level 1
Level 1
In response to mschooley

‎11-18-2003 06:35 PM

I'm doing a machine authentication against the ACS db and i keep geting an error during the 802.1x authentication process regarding the password. Do you know what password the Windows machine uses during the machine authentication?

0 Helpful
Customers Also Viewed These Support Documents