Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
3
Replies

dot1x VLAN assignment

pax_2111
Level 1
Level 1

‎11-19-2004 09:52 AM - edited ‎03-02-2019 08:05 PM

I'm using a C2950 with the image

c2950-i6q4l2-mz.121-22.EA1.bin for 802.1x authentication against Cisco ACS.

Authentication is successful but I'm not able to assign a VLAN to the port. From Radius debugs, I can see that the switch is receving attributes 64, 65 and 81:

02:57:07: RADIUS: Received from id 55 192.168.1.100:1812, Access-Accept, len 118

02:57:07: Attribute 6 6 00000001

02:57:07: Attribute 11 5 31303140

02:57:07: Attribute 64 6 0100000D

02:57:07: Attribute 65 6 01000006

02:57:07: Attribute 81 11 01564C41

But debug dot1x tells that:

03:02:14: dot1x-ev:dot1x_port_authorized:supplicant 0000.e282.dd30 is first, old vlan 1, new vlan 0

03:02:14: dot1x-ev:dot1x_port_authorized: Host-mode=0 radius/guest vlan=0

03:02:14: dot1x-ev: GuestVlan configured=0

And the port stays in VLAN 1

The configuration on the switch is as follows:

--------

aaa new-model

aaa authentication login default none

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

dot1x system-auth-control

interface FastEthernet0/5

switchport mode access

dot1x port-control auto

spanning-tree portfast

radius-server host 192.x.x.100 auth-port 1812 acct-port xxx key cisco

radius-server retransmit 3

radius-server vsa send authentication

----------

On the ACS I have created a user with attributes 64,65 and 81. For att. 81 I have use vlan ID and name but with no luck.

Has someone else been able to configure this successfully. It should be a simple configuration, but it's not working.

Labels:
0 Helpful
3 Replies 3

ebreniz
Level 6
Level 6

‎11-27-2004 01:48 PM

I didn't face your problem, but I feel the configuration is simple and the below link will provide more information .

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a0080150b73.html

0 Helpful

ccanoto
Cisco Employee
Cisco Employee

‎01-12-2005 01:35 PM

Hi,

I have exactly the same configuration in a Cat 2950G-12-EI with the same version and it is working fine, we used a Cisco router as DHCP server for 4 VLANs so when a user login the switch asks for authentication and also assigns a VLAN, then the IP address is assigned by the router. Keep in mind that this wont work if the switch is Standard Image, it has to be Enhanced Image to make VLAN Assignment. PD. one additional command I used was: radius-server vsa send accounting but it should make no difference.

Hope this helps, best regards

Carlos C.

0 Helpful

andrew.butterworth
Level 7
Level 7

‎01-12-2005 02:47 PM

I set this up a while ago and after a bit of fault finding I came up with these Radius Attributes that needed setting:

6 Service-Type = Framed

7 Framed-Protocol = PPP

64 Tunnel-Type = Virtual LANs (VLANs)

65 Tunnel-Medium-Type = 802 (includes all 802 media plus canonical format)

81 Tunnel-PvtGroup-ID =

RADIUS Attribute 81 must be set to the VLAN name as opposed to the VLAN number, that was my problem.

Good luck

Andy

0 Helpful
Customers Also Viewed These Support Documents