Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2814
Views
0
Helpful
5
Replies

Dynamic VLAN assignment on SG300

FieldCricket
Level 1
Level 1

‎11-20-2014 12:13 PM

 

Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:

 

The RADIUS user attributes used for the VLAN ID assignment are:

  • IETF 64 (Tunnel Type)—Set this to VLAN.

  • IETF 65 (Tunnel Medium Type)—Set this to 802

  • IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID

 

I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:

Radius:IETF:Tunnel-Medium-Type     6
Radius:IETF:Tunnel-Private-Group-Id     4
Radius:IETF:Tunnel-Type     13

is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:

07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID

07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.

Thanks,

Aaron

 

Labels:
0 Helpful
5 Replies 5

Aleksandra Dargiel
Cisco Employee
Cisco Employee

‎11-21-2014 10:02 AM

Hi Aaron,

Is this is something you see in your packet capture:

Radius accept message

 

Aleksandra

0 Helpful

FieldCricket
Level 1
Level 1
In response to Aleksandra Dargiel

‎11-21-2014 10:53 AM

Hi Aleksandra,

Here are the values from a packet capture of the Access-Accept message:

0 Helpful

FieldCricket
Level 1
Level 1
In response to FieldCricket

‎11-21-2014 01:06 PM

Hi Aleksandra,

I notice that our tag values differ - your is 00 but mine is 01.

Cisco documentation notes:

As noted in RFC2868 , section 3.1: The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.

 

Could this be the source of the problem? If tunnel type and tunnel medium are ignored due to invalid attribute tag (as the log indicates), it's possible the vlan id for tunnel-private-group-id is ignored as well. If this is the issue, can the SG300 be configured to accept a 01 tag or is this something that I need to change on the RADIUS side?

Thanks,

Aaron

0 Helpful

Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to FieldCricket

‎11-24-2014 10:58 AM

Hi Aaron,

Being honest never notice this. What is your Radius server you are testing with?

Aleksandra

0 Helpful

FieldCricket
Level 1
Level 1
In response to Aleksandra Dargiel

‎12-01-2014 08:19 AM

Hi Aleksandra,

 

I am using Aruba's Clearpass Policy Manager. I have fixed the issue by including an Avenda VSA of Avenda-Tag-Id (1) = 0

 

Thank you very much for looking at this issue.

 

Thanks,

Aaron

 

 

0 Helpful
Customers Also Viewed These Support Documents