cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


1452
Views
10
Helpful
5
Replies
CSchaatsbergen
Beginner

sf302-08 and radius vsa keys

Greetings all,

I recently received a SF302-08 to configure and I have to say quite an improvement over the SRW208 I had earlier. One thing bugs me though, with authentication requests it does not send the Service-Request parameter. On our Catalyst switches I have been experimenting with adding vsa keys to the requests and replies but on the SF302-08 I cannot find that feature yet. Can anyone tell me if it is at all possible to add custom or cisco proprietary vsa keys to an authentication request?

Thanks in advance,

Chris Schaatsbergen

5 REPLIES 5
David Carr
Frequent Contributor

Mr. Schaatsbergen,


Based on the admin guide of the 300 series switches the vsa keys are not supported on the switch.


I'm not sure if that will be a future supported feature for the device at the moment.

That would be a pity, but maybe you can help me a supported vsa set to work properly. I am Radius VLAN assignment and am unable to get it to work properly.

I am sending the attributes as described but it fails on the Tunnel-Private-Group-ID.

For the Dynamic VLAN Assignment feature to work, the switch requires the following VLAN attributes to be sent by the RADIUS server (as defined in RFC 3580):

[64] Tunnel-Type = VLAN (type 13)

[65] Tunnel-Medium-Type = 802 (type 6)

[81] Tunnel-Private-Group-Id = VLAN ID

VLAN 7 (Guest) is the VLAN that the port should be assigned to, but for the different ways of sending the data I get these results.

"7"
Mar  2 12:53:53 10.1.1.181 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:22:15:8e:a4:ac was rejected on port e1 because Radius accept message does not contain VLAN ID

"Guest"
Mar  2 12:57:36 10.1.1.181 %AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - wrong length

7
Mar  2 13:04:00 10.1.1.181 %AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - cannot decode VLANID

Any thoughts?

Anyone?

I was able to talk to some of the design team and the VSA key they suggest to use is

as follows.

The  VSA keys needs to be configured in the users file on the Radius server as follows:

cisco-avpair = "shell:priv-lvl=15"

Let me know if this helps.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

Hi,

Sorry for the late reply and thank you for the suggestion. Unfortunately it did not help, in a way it would have surprised me if it had but you never know.