cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1045
Views
0
Helpful
5
Replies

RADIUS Authorization Components (RAC) doesn't work on ACS

admin_2
Level 3
Level 3

Hi,

I have made a shared RAC where I defined the following RADIUS attributes:

Tunnel-type: VLAN

Tunnel-medium-type: 802

Tunnel-Private-Group-ID: QuarantineVLAN

So with this RAC I want to chance the VLAN from a user that is Quarantined.

So in the NAP (Network Access Profiles) in the Authorization section, I added a rule that links the Quarantine Posture State with this RAC.

But even though the Quarantine state is returned by the Trust Agent (so the posture state is definitely Quarantine), the host stays in it's original VLAN instead of the Quarantine VLAN.

Anyone who knows a solution?

thanks.

5 Replies 5

Vivek Santuka
Cisco Employee
Cisco Employee

Hi,

Try using the vlan number instead of vlan name.

Regards,

Vivek

Hi Vsauntuka,

first of all thank you for the quick response!

I've tried this but unfortunately, it doesn't seem to work...

On the switch, this is my configuration for the fastethernet port where the client is on:

interface fa0/17

switchport mode access

dot1x port-control auto

spanning-tree portfast

If I debug on the switch (using "debug radius" ) I can see (for example) that the radius attribute with number 81 (tunnel-private-group-ID) is sent, but because of the encryption i guess I cannot understand the values that are sent with it ...

Any other suggestions?

thanks!

I found out that the attributes aren't working at all. They also don't work in the group settings. (I thought it worked before but that was because I already assigned the vlan to the switchports via the command "switchport access vlan 8").

I've checked those attributes to be registered in the RADIUS accounting-log, but they never have values in the log, only three dots instead.

Sometimes, with the command "debug radius", I can see these attributes (64: tunnel-type, 65: tunnel-medium-type and 81: tunnel-private-group-ID).

I've tried to make a new user who has the same per-user attributes and then debug on the switch with "debug aaa per-user" but this debugging doesn't return anything.

So it looks like the switch receives those attributes from the ACS server but they don't change the VLAN.

An example of the debug output:

attribute 64 6 0000000B

attribute 65 6 00000006

attribute 81 3 38191B43

thanks

Not applicable

Ok, i found the "solution" myself.

Actually it was a typing mistake in the switch configuration:

i typed:

aaa authorization network defualt group radius

in stead of:

aaa authorization network default group radius

Now this problem is solved, so i get into the correct VLAN. But in the Quarantine VLAN, the Cisco Trust Agent Icon remains yellow and show that he is still connecting. Also, every few minutes he asks for my user credentials.

But the device is in the correct VLAN and got the correct ip-address assigned from the DHCP-server in the quarantine VLAN zo that part works.

Not applicable

OK, I've solved the problem: you need to set the ePo server as the "default-gateway" for your Quarantine-VLAN. Otherwise, the client cannot connect for some reason with it.

So this topic can be marked as solved.