Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1519
Views
0
Helpful
1
Replies

Is it possible to specify a native vlan with RADIUS?

jzachman
Level 1
Level 1

‎09-10-2019 07:44 PM

Hi, I'm currently using a NPS server to mab auth our devices (mainly for the ability to preform dynamic vlan assignment). It works great but I am running into a problem with auth-ing our Wireless access points. The NPS policy is sending the "device-traffic-class=switch" radius attribute as well as the other standard RADIUS attributes (tunnel-medium-type, tunnel-pvt-group & tunnel type). 

 

The problem is that the APs need native access to vlan 100 (specifically designated for AP management). They also need tagged access to vlan 200 & 300 as these feed the SSID's. So sending the "device-traffic-class=switch" works because it tags vlan 200/300 down to the AP which is good. BUT the only way I can get vlan 100 to become the native vlan is by setting it as the access vlan (so when the port gets the radius class=switch attribute it converts vlan 100 from the access vlan to the native vlan). This isn't great as then I need to set all of the interfaces to use vlan 100 as the access vlan. Normally this wouldn't be a big deal because NPS/MAB would just dynamically change it on the fly. But we've had a lot of success just leaving the access vlan as our general user vlan (847) so if the l2l goes down or connectivity back to the NPS server goes down, then we've listed "none" as the backup authentication method -- if there's no connectivity then the switch just times out and dumps the port into the general user vlan -- which is safe for us.

 

Has anyone ever ran into this problem before or found a way to dynamically set a native vlan using radius attributes?

 

Thanks for your help

Labels:
0 Helpful
1 Reply 1

aukhadiev
Level 1
Level 1

‎09-12-2019 12:58 AM

HI, 

you can use the functionality of Auto SmartPort Macro or Interface Template, second method is preferred.
In short, then
- in the first case, you configure the functionality of Auto SmartPort Macro and send in addition to "device-traffic-class = switch" the following cisco-av-pair - "auto-smart-port = aspName", in the macro you write something like "switchport trunk native vlan 100"
- in the second case, you configure the Interface Template and send in addition to "device-traffic-class = switch" the next cisco-av-pair - "interface-template-name = templateName", in this template write something like "switchport trunk native vlan 100"
I do not recommend the first method, I hope your switches support Interface Template, otherwise you will have to understand the Auto SmartPort Macro technology well before implementation.
With the Interface Template everything is much simpler, a good example you will find in this community -

https://community.cisco.com/t5/security-documents/neat-with-interface-template/ta-p/3642967

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents