Dynamic VLAN assignment+NPS Nexus 5k and 2k

ssinfra · ‎08-19-2018

Hello

We are using Micorosft NPS as Radius server and we already have implemented dot1x user authentication and Dynamic vlan assignment on all 3750s. However, we are trying to get it working on Nexus 5k which directly connected to a 2k FEX.

According to the logs and debugs all authentication and authorisation were successfully passed,but I can't see any VLAn assigned to that port, regardless that we already have configured those VLAn on the switch.

Any idea please ??

jgonzales2 · ‎08-19-2018

I would look at the radius attribute you are using on NPS for vlan assignment and make sure it matches with whatever Nexus radius attribute list. Reply back with your authorization result of what attributes your sending in your access accept and it might make it easier to diagnose.

ssinfra · ‎08-20-2018

Thank you for the reply.

I have attached a screen shot of my NPS configuration. Also there is a configuration of Nexus Below:

radius-server host 10.1.4.40 key 7 "vagwwt" authentication accounting
aaa group server radius radius
use-vrf management

aaa authentication dot1x default group radius

interface Ethernet1/1
switchport mode fex-fabric
fex associate 100

interface Ethernet100/1/1
dot1x port-control auto
dot1x host-mode multi-host
dot1x pae authenticator
spanning-tree port type edge

Thank You!

jgonzales2 · ‎08-21-2018

Based off the config guide it looks like your attributes are setup incorrectly.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/security/7x/b_5600_Security_Config_7x/b_6k_Security_Config_7x_chapter_0101.html#concept_D3AE0E4CD4EA45FFA69CFC9A11772643

VLAN Assignment from RADIUS

After authentication is completed either through dot1x or MAB, the response from the RADIUS server can have dynamic VLAN information, which can be assigned to a port. This information is present in response from RADIUS server in Accept-Access message in the form of tunnel attributes. For use in VLAN assignment, the following tunnel attributes are sent:

Tunnel-type=VLAN(13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID

All the three parameters must be received for configuring access VLAN.

jgonzales2 · ‎08-21-2018

Also if your looking to dynamically change vlans as users leave the port you may want to verify CoA is properly configured also.

ssinfra · ‎08-21-2018

I have done a wire shark test and I am 100% sure that these attributes are sending by RADIUS server

The point being is Nexus seems ignoring them,

jgonzales2 · ‎08-21-2018

In your print screen it shows that the syntax for each attribute is wrong. So the radius server is sending the attributes but in a format Nexus does not like. Verify the above document I referenced and create attributes verbatim.

ssinfra · ‎08-23-2018

Hi

Just the quick update that I managed to resolve the issue by upgrading to 7.3(3)N1(1) version as apparently the previous version 7.0(5)N1(1) did not support that.