Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
2
Replies

Vendor specific in RADIUS NAP Enforment

Mahmoud Abd El-Wahed
Level 1
Level 1

‎12-03-2013 12:42 PM - edited ‎03-10-2019 09:09 PM

   Hi All,

i am testing a lab enviroment to deploy NAP using Windows server 2008 with NAP Role enabled and RADIUS refering to a 3560 Access switch

i can get authorized on my port:

interface FastEthernet0/11

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

spanning-tree portfast

end

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa nas port extended

no radius-server attribute nas-port

radius-server host 10.40.10.10 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 094F471A1A0A3743595F

radius-server vsa send accounting

radius-server vsa send authentication

!

and this is the network policy i have configured on the NPS server:

and for vendor specific:

i am asking what is exactly the vlaue reqiured to be written in this box?

i typed many values (9, 1, Cisco and finally Cisco-NAS-Port)

i am getting a debug messeges:

ot1x_vlan_assign_authz_fail on interface FastEthernet

dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC

dot1x-ev:dot1x_vlan_assign_authz_fail on interface FastEthernet

dot1x-ev:No reply attributes received from AAA for 001c.2318.7971

Dec  3 22:29:50: dot1x-ev:Sending create new context event to EAP for 001c.2318.7971

.Dec  3 22:29:50: dot1x-ev:FastEthernet0/11:Sending EAPOL packet to group PAE address

.Dec  3 22:29:50: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/11.

.Dec  3 22:29:50: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_switch_addr_remove: Did not locate HA entry for MAC 001c.2318.7971 on interface FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_vlan_assign_client_deleted for 001c.2318.7971 on interface FastEthernet0/11

.Dec  3 22:29:50: dot1x-ev:dot1x_vlan_assign_client_deleted: Ignoring client 001c.2318.7971 on FastEthernet0/11, domain is data

.Dec  3 22:29:50: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000

.Dec  3 22:29:50: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000

.Dec  3 22:29:50: dot1x-ev:Created a default authenticator instance on FastEthernet0/11

actaully i am working on this task for 6 days and canot get authenticated, can anyone giude  me through this task ?

#show radius st

                                                Auth.      Acct.       Both
Maximum inQ length:                  NA         NA          1

Maximum waitQ length:              NA         NA          2

Maximum doneQ length:             NA         NA          1

Total responses seen:                 572          0        572

Packets with responses:             572          0        572

Packets without responses:           2          0          2

Average response delay(ms):       15          0         15

Maximum response delay(ms):   1082          0       1082

Number of Radius timeouts:            8          0          8

Duplicate ID detects:                       0          0          0

Buffer Allocation Failures:               0          0          0

Maximum Buffer Size (bytes):       680          0        680

Source Port Range: (2 ports only)

1645 - 1646

Last used Source Port/Identifier:

1645/152

1646/0

aadi1-SW-4-24#show dot1x int fa0/11 d

Dot1x Info for FastEthernet0/11

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = Both

HostMode                  = SINGLE_HOST

ReAuthentication          = Enabled

QuietPeriod               = 60

ServerTimeout             = 30

SuppTimeout               = 30

ReAuthPeriod              = 3600 (Locally configured)

ReAuthMax                 = 2

MaxReq                    = 2

TxPeriod                  = 30

RateLimitPeriod           = 0

Dot1x Authenticator Client List

-------------------------------

Domain                    = DATA

Supplicant                = 001c.2318.7971

    Auth SM State         = HELD

    Auth BEND SM State    = IDLE

Port Status               = UNAUTHORIZED

ReAuthPeriod              = 3600

ReAuthAction              = Reauthenticate

TimeToNextReauth          = 0

Authentication Method     = Dot1x

BR,

Mahmoud Abd El-Wahed

Labels:
0 Helpful
2 Replies 2

Mahmoud Abd El-Wahed
Level 1
Level 1

‎12-04-2013 01:10 AM

sorry for not uploading the images:

0 Helpful

edwjames
Level 3
Level 3
In response to Mahmoud Abd El-Wahed

‎12-07-2013 06:47 PM

Hi Mahmoud,

These are your VLAN assignment attributes that you have to use.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_13_ea1/configuration/guide/Sw8021x.html#wp1049882

They are not vendor specific, they can be found part of the default IETF dictionary.

Regards

Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
0 Helpful
Customers Also Viewed These Support Documents