Solved: Dynamic VLAN assignment for MAB / ACS 5.5

trondaker · ‎09-21-2015

Hi,

Were trying to get MAB working with ACS 5.5, and the ACS part looks good in the logs - the MAC-address is looked up, the authorization profile is correct. But on the switch i get the following:

*Mar 1 00:12:53: AAA/AUTHEN/8021X (00000004): Pick method list 'default'

*Mar 1 00:12:53: RADIUS/ENCODE(00000004):Orig. component type = DOT1X

*Mar 1 00:12:53: RADIUS: AAA Unsupported Attr: audit-session-id [607] 24

*Mar 1 00:12:53: RADIUS: 30 41 38 45 30 46 44 45 30 30 30 30 30 30 30 32 [0A8E0FDE00000002]

*Mar 1 00:12:53: RADIUS: 30 30 30 38 30 41 [ 00080A]

*Mar 1 00:12:53: RADIUS: AAA Unsupported Attr: interface [171] 20

*Mar 1 00:12:53: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 31 [GigabitEthernet1]

*Mar 1 00:12:53: RADIUS: 2F 30 [ /0]

*Mar 1 00:12:53: RADIUS(00000004): Config NAS IP: 0.0.0.0

*Mar 1 00:12:53: RADIUS/ENCODE(00000004): acct_session_id: 4

*Mar 1 00:12:53: RADIUS(00000004): sending

*Mar 1 00:12:53: RADIUS/ENCODE: Best Local IP-Address 10.142.15.222 for Radius-Server 10.54.248.55

*Mar 1 00:12:53: RADIUS(00000004): Send Access-Request to 10.54.248.55:1645 id 1645/5, len 162

*Mar 1 00:12:53: RADIUS: authenticator 17 FE 5E 88 64 41 1D 09 - 86 EA 51 BE 78 EB 42 B6

*Mar 1 00:12:53: RADIUS: User-Name [1] 14 "28924ad5a199"

*Mar 1 00:12:53: RADIUS: User-Password [2] 18 *

*Mar 1 00:12:53: RADIUS: Service-Type [6] 6 Call Check [10]

*Mar 1 00:12:53: RADIUS: Framed-MTU [12] 6 1500

*Mar 1 00:12:53: RADIUS: Called-Station-Id [30] 19 "00-1A-A1-99-9F-82"

*Mar 1 00:12:53: RADIUS: Calling-Station-Id [31] 19 "28-92-4A-D5-A1-99"

*Mar 1 00:12:53: RADIUS: Message-Authenticato[80] 18

*Mar 1 00:12:53: RADIUS: EE F5 B8 E1 70 B4 37 A6 3A AD 89 20 A5 A7 D0 E3 [ p7: ]

*Mar 1 00:12:53: RADIUS: EAP-Key-Name [102] 2 *

*Mar 1 00:12:53: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

*Mar 1 00:12:53: RADIUS: NAS-Port [5] 6 50102

*Mar 1 00:12:53: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/2"

*Mar 1 00:12:53: RADIUS: NAS-IP-Address [4] 6 10.142.15.222

*Mar 1 00:12:53: RADIUS(00000004): Started 5 sec timeout

*Mar 1 00:12:53: RADIUS: Received from id 1645/5 10.54.248.55:1645, Access-Accept, len 106

*Mar 1 00:12:53: RADIUS: authenticator 26 B4 B9 AB 3C 04 68 DA - 38 AF F6 CD 36 95 73 2B

*Mar 1 00:12:53: RADIUS: User-Name [1] 19 "28-92-4A-D5-A1-99"

*Mar 1 00:12:53: RADIUS: Class [25] 31

*Mar 1 00:12:53: RADIUS: 43 41 43 53 3A 41 30 31 44 52 46 4E 30 30 32 2F [CACS:A01DRFN002/]

*Mar 1 00:12:53: RADIUS: 32 33 31 35 38 38 36 30 31 2F 31 37 38 [ 231588601/178]

*Mar 1 00:12:53: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]

*Mar 1 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

*Mar 1 00:12:53: RADIUS: Message-Authenticato[80] 18

*Mar 1 00:12:53: RADIUS: 91 22 CD 50 8D 62 C2 F0 10 DE C6 70 84 AF 31 6C [ "Pbp1l]

*Mar 1 00:12:53: RADIUS: Ascend-Auth-Type [81] 6 20003120

*Mar 1 00:12:53: RADIUS(00000004): Received from id 1645/5

*Mar 1 00:12:53: RADIUS: unsupported value 20003120 in attribute 81

*Mar 1 00:12:53: RADIUS/DECODE: Ascend auth type; FAIL

*Mar 1 00:12:53: RADIUS/DECODE: decoder; FAIL

*Mar 1 00:12:53: RADIUS/DECODE: attribute Ascend-Auth-Type; FAIL

*Mar 1 00:12:53: RADIUS/DECODE: parse response op decode; FAIL

*Mar 1 00:12:53: RADIUS/DECODE: parse response; FAIL

*Mar 1 00:12:53: %MAB-5-FAIL: Authentication failed for client (2892.4ad5.a199) on Interface Gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

*Mar 1 00:12:53: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (2892.4ad5.a199) on Interface Gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

*Mar 1 00:12:53: %AUTHMGR-5-FAIL: Authorization failed for client (2892.4ad5.a199) on Interface Gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

It recognizes the attributes 64 and 65, but the Tunnel-private-group-id that contains the actual VLAN number is unsupported. How do i assign the correct vlan if this attribute is unsupported? Doesnt work with a string matching the VLAN name on the switch either.

Version is 12.2.55SE10 3750G.

Ivan Gonzalez · ‎09-21-2015

Hi,

From the debugs provided I can see that you are missing one attribute to perform the vlan assignment, in your test it is only sending the followings:

*Mar 1 00:12:53: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]

*Mar 1 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

But it should actually send:

Tunnel-Type = 64 = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID = 253

Where the "Tunnel-Private-Group-ID" is the vlan number/name you want to assign, the bellow is an example on how it would look on the ACS profile:

http://www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113591-aaa-override-acs52-17.gif

Note: Please mark it as answered if applicable

View solution in original post

Ivan Gonzalez · ‎09-21-2015

Hi,

From the debugs provided I can see that you are missing one attribute to perform the vlan assignment, in your test it is only sending the followings:

*Mar 1 00:12:53: RADIUS: Tunnel-Type [64] 6 01:VLAN [13]

*Mar 1 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

But it should actually send:

Tunnel-Type = 64 = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID = 253

Where the "Tunnel-Private-Group-ID" is the vlan number/name you want to assign, the bellow is an example on how it would look on the ACS profile:

http://www.cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wireless-controllers/113591-aaa-override-acs52-17.gif

Note: Please mark it as answered if applicable

trondaker · ‎09-21-2015

Hi Ivangonz,

Thanks for the reply! Yea, the thing is the config is similar in ACS as your picture, but the debugs doesnt show the private-group-id on the switch - maybe because it claims the value is unsupported? The only difference between the picture and my config is that my attributes are under common tasks attributes, not manually entered - could that make a difference? This is the only way to do dynamic VLAN assignment?

Ivan Gonzalez · ‎09-21-2015

Hi,

I do not think it would be an unsupported attribute for the switch. Can you try to configure it manually as on the example, and confirm if you are actually hitting the configured profile, by checking the reports?

trondaker · ‎09-21-2015

Will try first thing tomorrow, thanks Ivan!

trondaker · ‎09-21-2015

Hi again,

Getting the same output with manually entering the attributes, unsupported value in attribute 81 - have no idea whats going on with that thing, but im gonna try another switch just to be sure its not some weird bug.

Ivan Gonzalez · ‎09-23-2015

Hi,

Can you share screenshot from the configured profile on the ACS. What value are you sending on attribute 81 (Tunnel-Private-Group-ID)?

trondaker · ‎09-23-2015

Hi again,

Sorry for the late reply. Turns out it was the switch for some reason. The combination of 3750g-24t-s and 12.2.55SE10 was not good, replaced it with a 3560 and it worked right away. Thanks for the info Ivan, your config was spot on even though the switch didnt like it :)