04-17-2007 03:13 AM - edited 03-10-2019 03:06 PM
Hi,
I have made a shared RAC where I defined the following RADIUS attributes:
Tunnel-type: VLAN
Tunnel-medium-type: 802
Tunnel-Private-Group-ID: QuarantineVLAN
So with this RAC I want to chance the VLAN from a user that is Quarantined.
So in the NAP (Network Access Profiles) in the Authorization section, I added a rule that links the Quarantine Posture State with this RAC.
But even though the Quarantine state is returned by the Trust Agent (so the posture state is definitely Quarantine), the host stays in it's original VLAN instead of the Quarantine VLAN.
Anyone who knows a solution?
thanks.
04-17-2007 07:34 AM
Hi,
Try using the vlan number instead of vlan name.
Regards,
Vivek
04-18-2007 06:49 AM
Hi Vsauntuka,
first of all thank you for the quick response!
I've tried this but unfortunately, it doesn't seem to work...
On the switch, this is my configuration for the fastethernet port where the client is on:
interface fa0/17
switchport mode access
dot1x port-control auto
spanning-tree portfast
If I debug on the switch (using "debug radius" ) I can see (for example) that the radius attribute with number 81 (tunnel-private-group-ID) is sent, but because of the encryption i guess I cannot understand the values that are sent with it ...
Any other suggestions?
thanks!
04-19-2007 01:27 AM
I found out that the attributes aren't working at all. They also don't work in the group settings. (I thought it worked before but that was because I already assigned the vlan to the switchports via the command "switchport access vlan 8").
I've checked those attributes to be registered in the RADIUS accounting-log, but they never have values in the log, only three dots instead.
Sometimes, with the command "debug radius", I can see these attributes (64: tunnel-type, 65: tunnel-medium-type and 81: tunnel-private-group-ID).
I've tried to make a new user who has the same per-user attributes and then debug on the switch with "debug aaa per-user" but this debugging doesn't return anything.
So it looks like the switch receives those attributes from the ACS server but they don't change the VLAN.
An example of the debug output:
attribute 64 6 0000000B
attribute 65 6 00000006
attribute 81 3 38191B43
thanks
04-19-2007 05:09 AM
Ok, i found the "solution" myself.
Actually it was a typing mistake in the switch configuration:
i typed:
aaa authorization network defualt group radius
in stead of:
aaa authorization network default group radius
Now this problem is solved, so i get into the correct VLAN. But in the Quarantine VLAN, the Cisco Trust Agent Icon remains yellow and show that he is still connecting. Also, every few minutes he asks for my user credentials.
But the device is in the correct VLAN and got the correct ip-address assigned from the DHCP-server in the quarantine VLAN zo that part works.
04-20-2007 03:18 AM
OK, I've solved the problem: you need to set the ePo server as the "default-gateway" for your Quarantine-VLAN. Otherwise, the client cannot connect for some reason with it.
So this topic can be marked as solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide