Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1346
Views
5
Helpful
5
Replies

Yet another IAS + 802.1x dynamic vlan question

donlon
Level 1
Level 1

‎12-11-2004 07:54 PM - edited ‎03-10-2019 01:55 PM

hello all

For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.

Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.

Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.

Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).

Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.

Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .

Yes, I included the "aaa authorization network default group radius" statement.

If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got

" Attribute 81 6 01000005 " in the debug,

all sorts of permutations.

Please Cisco, somebody --- help us out here.

The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".

Can anybody shed some light on this!

Labels:
0 Helpful
5 Replies 5

aarons
Level 1
Level 1

‎03-15-2005 05:21 AM

Really great to see that noone can help you :(

I am in the same boat. If you have figured this out can u please let me know.

Thankyou kindly

0 Helpful

donlon
Level 1
Level 1
In response to aarons

‎03-16-2005 09:14 PM

It seems the issue was that the 2950 switch I was using was running the Standard Image and this feature requires the Enhanced Image.

I havn't had an opportunity to test this (don't currently have a switch with enhanced image at my disposal), however someone did point me to the documentation for switch IOS version 12.1.20 which plainly stated it.

Curiously, I didn't see it stated in the documentation for version 12.1.22 which was what I used, (don't get me started on technicial writers).

Surprisingly, alot of Cisco service engineers weren't even aware of this fact.

0 Helpful

aarons
Level 1
Level 1
In response to aarons

‎03-16-2005 10:03 PM

I have this working now. If you still need help post away.

Cheers

0 Helpful

jasontedesco
Level 1
Level 1
In response to aarons

‎07-01-2005 12:00 AM

For reference, can you please post your working av-pair vlan config and switch configuration.

Thanks

0 Helpful

hwon
Level 1
Level 1
In response to jasontedesco

‎07-07-2005 08:08 AM

Here is working IAS settings and switch config:

Ignore-User-Dialin-Properties 4101 True

Framed-Protocol 7 PPP

Service-Type 6 Framed

Tunnel-Medium-Type 65 802

Tunnel-Pvt-Group-ID 81 102

Tunnel-Type 64 VLAN

Tunnel-Tag 4170 1

*Note that I have VLAN#, not VLAN name on attribute 81

aaa new-model

aaa authentication dot1x default group radius none

aaa authorization network default group radius none

aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

interface FastEthernet0/1

switchport access vlan 100

switchport mode access

dot1x port-control auto

dot1x timeout reauth-period 300

dot1x guest-vlan 997

dot1x reauthentication

spanning-tree portfast

Customers Also Viewed These Support Documents