Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

localhorscht · ‎03-09-2005

Hi my situation is freeradius give the switch wrong attribute parameters.

The “users” config file says:

…

Username Auth-Type == EAP, User-Password == “xxx”

Framed-Type = Framed,

Tunnel-Medium-Type:1 = 6,

Tunnel-Type:1 = 13,

Tunnel-Private-Group-ID:1 = 13

….

on freeradius debuging I can see:

…..

Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812

Tunnel-Medium-Type:1 = IEEE-802

Tunnel-Type:1 = VLAN

Tunnel-Private-Group-Id = “13”

……

and that’s the problem. I think the Tunnel-Private-Group-Id is not more an

Integer

The Switch Radius Debug

04:57:06: Attribute 65 6 01000006

04:57:06: Attribute 64 6 0100000D

04:57:06: Attribute 81 5 0131334F

Attribute 65 and 64 are ok but Attribute 81 is the problem

smalkeric · ‎03-15-2005

As for as I know , for reasons of administrative scalability, RADIUS profiles are usually configured at the group level rather than one for each user. To configure a VLAN ID to be assigned to all users belonging to a specific group accessing the network through a Cisco Catalyst 4000, 5000, or 6000 Switch, navigate to that group's page within Cisco Secure ACS and locate the IETF RADIUS settings section. If the steps above on Interface Configuration have been followed, then attributes Tunnel-Type [# 64] and Tunnel-Private-Group-ID [# 81] will appear there for configuration.

For more information :http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_white_paper09186a0080088890.shtml

andrew.butterworth · ‎03-15-2005

Attribute 81 needs to be the VLAN name and not the number, plus you need the following on the switch (synamic VLANS only work with EMI image I think?):

aaa authorization network default group Radius-Servers

Andy

andrew.butterworth · ‎03-15-2005

I have just been testing this on a 2950-EI (12.1(22)EA3) and a 3550 (12.2(25)SEA) and option 81 can be set to either the VLAN name or number.

Andy