Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3147
Views
0
Helpful
5
Replies

NAC - NPS + 9200 switches and Dynamic VLAN assigment

Go to solution
IPhoneRZ
Level 1
Level 1

‎06-21-2022 02:31 AM

hello

I read many tutorials how to configure NPS + IOS for dynamic VLAN assignment, but all of these tutorials are how to authorize and assign VLAN based on user Group in AD.

But I would like to assign VLAN based on PC in AD PC Group.

 

1.Is tis possible ??

 

If yes, this is my log 

 

*Jun 21 08:32:20.861: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/40, changed state to down
*Jun 21 08:32:28.834: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (b445.064d.6b4a) with reason (Cred Fail) on Interface Gi1/0/40 AuditSessionID 83AD2C0A000000148564408D Username: host/PC-049.testdoamin.com
*Jun 21 08:32:28.834: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (b445.064d.6b4a) on Interface GigabitEthernet1/0/40 AuditSessionID 83AD2C0A000000148564408D. Failure reason: Authc fail. Authc failure reason: Cred Fail.
*Jun 21 08:32:30.765: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/40, changed state to up
*Jun 21 08:32:31.765: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/40, changed state to up

 

in NPS I have policy defined 

 

 

1.png2_LI.jpg3.png4.png

 

On PC network card there is dot1x enabled and PEAP selected 

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-21-2022 02:45 AM 

sessmgrd: Authorization failed or unapplied for client

how is your switch port config on the switch, what version of IOS XE running cat 9200 ?

 

check this thread may help you :

https://community.cisco.com/t5/switching/802-1x-configure-wired-802-1x-with-nps/td-p/3720361

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
5 Replies 5

Go to solution
IPhoneRZ
Level 1
Level 1

‎06-21-2022 02:39 AM

sorry,

I forgot to put Cisco config

 

 

aaa new-model
radius server NPS
address ipv4 10.184.35.11 auth-port 1812 acct-port 1813
key .........

aaa group server radius RADIUS_TEST
server name NPS


no aaa authentication login default local
aaa authentication dot1x default group RADIUS_TEST
aaa authorization network default group RADIUS_TEST if-authenticated


dot1x system-auth-control
dot1x guest-vlan supplicant



int gig1/0/40
switchport mode access
dot1x port-control auto
dot1x pae authenticator
dot1x guest-vlan 99

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-21-2022 02:45 AM 

sessmgrd: Authorization failed or unapplied for client

how is your switch port config on the switch, what version of IOS XE running cat 9200 ?

 

check this thread may help you :

https://community.cisco.com/t5/switching/802-1x-configure-wired-802-1x-with-nps/td-p/3720361

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
IPhoneRZ
Level 1
Level 1
In response to balaji.bandi

‎06-21-2022 03:00 AM

hello

 

Port configuration is 

 

int gig1/0/40
switchport mode access
dot1x port-control auto
dot1x pae authenticator
dot1x guest-vlan 99

 

SW version is 17.03.04

 

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to IPhoneRZ

‎06-21-2022 03:13 AM

I take this as Wired client testing rigt (not Wireless)

 

hope you trying 802.1x with Cert authentication not MAB right ?

 

suggested config :

 

spanning-tree portfast
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
switchport access vlan XX
switchport mode access
switchport voice vlan XX
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
IPhoneRZ
Level 1
Level 1
In response to balaji.bandi

‎06-21-2022 03:54 AM

hello 

@balaji.bandi , thanks for the link in the first post:) i didn't have Cert enrolled on NPS Server (it's separated server from AD)

 

I created few more AD groups and VLANs. I added my PC to different groups and i received correct VLAN dynamically - it's working.

 

One thing left I think , when I removed my PC from any AD group created for VLAN Assigment, i recived authen / authori failed as in the first post - but I would like that guest VLAN will be assign when PC is not in dedicated group, possible ?? 

 

BTW

I tried understand Your switch port config, and could You please describe why these command if dynamic vlan assigment ?? 


switchport access vlan XX
...
switchport voice vlan XX

 

and lite describe purpose of these command  


access-session closed
authentication periodic
authentication timer reauthenticate server

 

 Thanks

0 Helpful
Customers Also Viewed These Support Documents