Dynamic VLAN assignments with ACS

paulhughes5 · ‎04-30-2012

Hello all.

I am trying to do dynamic vlan assignments with dot1x auth. I am using ACS5.3 and Cisco 3560.

I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.

aaa group server radius nac_servers
server-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxx
aaa authentication dot1x default group nac_servers
aaa authorization network default group nac_servers
interface FastEthernet0/2
 switchport mode access
 switchport voice vlan 364
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape 10 0 0 0
 priority-queue out 
 authentication event no-response action authorize vlan 303
 authentication host-mode multi-domain
 authentication port-control auto
 mls qos trust cos
 auto qos voip trust 
 dot1x pae authenticator

When the user connects I get the following via debug:

Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7

However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).

Any idea what config I'm missing?

Thanks

Paul

shoaibkhan · ‎05-01-2012

Can you please post full logs not just this line.

thanks

paulhughes5 · ‎05-01-2012

Hello.

Here is whats left in the log.

Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.253: EAPOL pak dump rx
Apr 30 15:19:36.253: EAPOL Version: 0x1 type: 0x0 length: 0x007B
Apr 30 15:19:36.253: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123

Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.007b
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.278: EAPOL pak dump rx
Apr 30 15:19:36.278: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.278: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43

Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.294: EAPOL pak dump rx
Apr 30 15:19:36.294: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.294: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43

Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet

Hope that helps

Tarik Admani · ‎05-02-2012

Please run "debug radius authentication" I would like to see the av-pairs that are sent back from the radius server.

When you issue a show vlan, does vlan 300 exist in the vlan database?

Thanks

Tarik Admani

paulhughes5 · ‎05-02-2012

I'll run the debug tomorrow if I get chance.

Yes VLAN 300 is being used on other ports. If I set the port to be on vlan 300 everything else about the 802.1x auth works fine.

paulhughes5 · ‎05-03-2012

I've changed the host mode to multi-host rather than domain. Although I will be going through a VoIP phone eventually I was not as the time and I can only assume that was the issue.

kiran kumar Chamakura · ‎05-07-2012

Hi Paul,

Can send us the ACS Configuration and Switch configuration , to see what went wrrong.

Thanks and Regards

Kiran Kumar CH