11-20-2014 12:13 PM
Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
The RADIUS user attributes used for the VLAN ID assignment are:
IETF 64 (Tunnel Type)—Set this to VLAN.
IETF 65 (Tunnel Medium Type)—Set this to 802
IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
Radius:IETF:Tunnel-Medium-Type 6
Radius:IETF:Tunnel-Private-Group-Id 4
Radius:IETF:Tunnel-Type 13
is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
Thanks,
Aaron
11-21-2014 10:02 AM
Hi Aaron,
Is this is something you see in your packet capture:
Aleksandra
11-21-2014 10:53 AM
Hi Aleksandra,
Here are the values from a packet capture of the Access-Accept message:
11-21-2014 01:06 PM
Hi Aleksandra,
I notice that our tag values differ - your is 00 but mine is 01.
Cisco documentation notes:
As noted in RFC2868 , section 3.1: The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.
Could this be the source of the problem? If tunnel type and tunnel medium are ignored due to invalid attribute tag (as the log indicates), it's possible the vlan id for tunnel-private-group-id is ignored as well. If this is the issue, can the SG300 be configured to accept a 01 tag or is this something that I need to change on the RADIUS side?
Thanks,
Aaron
11-24-2014 10:58 AM
Hi Aaron,
Being honest never notice this. What is your Radius server you are testing with?
Aleksandra
12-01-2014 08:19 AM
Hi Aleksandra,
I am using Aruba's Clearpass Policy Manager. I have fixed the issue by including an Avenda VSA of Avenda-Tag-Id (1) = 0
Thank you very much for looking at this issue.
Thanks,
Aaron
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide