Re: Getting Microsofts IAS RADIUS Server to send VLAN info

aarons · ‎03-11-2005

Hi Guys,

I am using an IAS RADIUS server to perform port based authentication using 802.1x. I can authenticate fine but when i try and push vlan information to the switch i run into problems.

What i need to know is the exact format the cisco avpair attributes need to be in.

Currently they are:

"tunnel-type(#64)=VLAN(13)", cisco-avpair += "tunnel-medium-type(#65)=802 media(6)", "tunnel-private-group-ID(#81)=SALES"

Can anyone confirm that this is correct or have any other experiences in a similar situation they could share with me?

Thanks in advance.

andrew.butterworth · ‎03-12-2005

You need Tunnel-Mediu-Type(65) set to 802, Tunne;-Type(64) set to VLANs and Tunnel-Pvt-Group-ID(81) set to the name of the VLAN. Which is what you have.....

You also need to enable aaa network authorization on the switch:

aaa authorization network default group Radius-Servers

I had this workign recently with a 2950-EI switch and it worked fine.

Andy

aarons · ‎03-12-2005

yea i have all that and its not working.. strange. :(

Are you using the radius attributes or cisco avpair attributes?

Cheers for the reply.

andrew.butterworth · ‎03-12-2005

I am using the standard Radius attributes, I don't have any Cisco AV-Pairs configured. What switches are you using?

Andy

aarons · ‎03-12-2005

cat 3560.

andrew.butterworth · ‎03-15-2005

I have just set this up on a 2950-EI switch and it works - I have changed the VLAN name in IAS so I know it is definately assigning the VLAN. Switch config is:

aaa authentication dot1x default group Radius-Servers

aaa authorization network default group Radius-Servers

!

interface FastEthernet0/22

switchport mode access

dot1x port-control auto

dot1x guest-vlan 4094

spanning-tree portfast

!

I have added a new policy on IAS so only RADIUS packets from the Switch and port is Ethernet (NAS-IP-Address matches "x.x.x.x" AND NAS-Port-Type matches "Ethernet". Only EAP is enabled (I am using PEAP and the MS Suplicant). Radius Attributes 64 (Virtual-LANs (VLANs), 65 (802 (includes all 802 media plus Ethernet canonical format) & 81 (VLAN name) are configured.

Andy

andrew.butterworth · ‎03-15-2005

I have just tried this on a 3550 and this again works fine with the same configuration. IOS on 2950 is 12.1(22)EA3, IOS on 3550 is 12.2(25)SEA.

Andy

aarons · ‎03-15-2005

Thanks Andy, it works now however i believe the problem was the VLAN user was a member of the local domain group aswell as the specified VLAN group. I am not entirely sure if this was the case but it seems to work now.

Thank you

aarons · ‎03-15-2005

Another problem now.. How is it possible for a user that logs into their computer to be authenticated based on their windows login credentials?

The problem is this:

At boot time the switchport is unauthorized and is in the down state. Therefore the computer cannot contact the Domain and therefore cannot login.

What is the procedure here? Do they just login at a machine level in order to authenticate automatically and then join the domain afterwards??

Any ideas would be great.

Thanks

andrew.butterworth · ‎03-16-2005

Yes the machine itself needs to log on initially, to do this the machine needs to be granted dial-in rights. AD needs changing so the dial-in rights are visible in Computer Management:

http://support.microsoft.com/kb/306260

Once you have done this you need to get certificates to the clients machine store - you can do this manually via the web enrollment and advanced settings to store the certificate in the machine store or you can do this automatically via a group policy.

http://www.tacteam.net/isaserverorg/exchangekit/2003autoenroll/2003autoenroll.htm

I haven't tried having different VLAN's for the Machine and User accounts so I don't know how this would work?

Andy

aarons · ‎03-17-2005

Thank you that information proved quite useful.