Send vlan via Radius with 802.1x Authentication

m.magnani · ‎10-17-2005

Hi all.

I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.

I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.

Reading docs, I have found these attributes:

cisco-avpair="tunnel-type(#64)=VLAN(13)"

cisco-avpair="tunnel-medium-type(#65)=802 media(6)"

cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)

but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.

Here are some outputs:

Sending Access-Challenge of id 80 to 128.0.0.21:1812

Cisco-AVPair = "tunnel-type=VLAN"

EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xf88b9673c199cb13def96563250cf8a7

I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:

02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129

02:49:39: Attribute 26 75 0000000901457475

02:49:39: Attribute 79 6 03010004

02:49:39: Attribute 80 18 1ABB3507

02:49:39: Attribute 1 10 74657374

02:49:39: RADIUS: EAP-login: length of eap packet = 4

02:49:39: RADIUS: EAP-login: radius didn't send any vlan

so I can see that radius is not sending anything about vlan...

Has anyone alredy tried this set up?

Thank you in advance.

Massimo Magnani.

jafrazie · ‎10-17-2005

Did you remember the following command?

aaa authorization network default group radius

If this is a 2950 SI platform, support for this did not come until 12.1(22)EA3.

Hope this helps,

m.magnani · ‎10-19-2005

Hi.

I have this command in place and I have upgraded my 2950 to IOS 12.1(22)EA5, the latest version available for this platform.

Unfortunatly I have the same behaviour as before.

Do you know if I am using the right "Cisco-AV-Pair", and where I can find a list of Cisco-AV-Pair?

I have been surfing Cisco website to find the above informations, but I couldn't manage to find anything else.

Thank you in advance for your kind help.

Massimo Magnani

m.magnani · ‎10-19-2005

Hi All.

I have solved the problem.

Infact, the right attributes are not cisco-avpair, but IETF attributed contained in dictionary.tunnel in freeradius.

The correct ones are:

Tunnel-Type=VLAN

Tunnel-Medium=IEEE-802

Tunnel-Private-Group-ID=2 (2= VLAN ID)

Now everything is working well.

Massimo Magnani

jafrazie · ‎10-19-2005

OK, so I may have glossed over that before. From your debug post, you had:

Cisco-AVPair = "tunnel-type=VLAN"

Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].

You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):

[64] Tunnel-Type – “VLAN” (13)

[65] Tunnel-Medium-Type – “802” (6)

[81] Tunnel-Private-Group-ID - "" OR ""

They are defined in RFC 2868.

Hope this helps,

stephen · ‎07-07-2006

Hi Massimo,

I am not an expert in this area either. In fact I am trying to accomplish the same exact thing that you are doing except that I don't have the freeradius expertise that you seem to have. Any insight on freeradius you can provide such as configs and files would be greatly appreciated.

What version of code do you have on the 2950, I would try to upgrade that to a more recent release.

Also, where did you find out about the variables that should be passed to the Cisco device?