cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
559
Views
5
Helpful
6
Replies
Highlighted
Beginner

2960 802.1x Authentication VLAN Assignment

Hi,

I have been having issues getting 802.1x VLAN Assignment working on my 2960. I'm using PacketFence and I can see it sending back the radius response in the switch logs:

Tunnel-Type = VLAN

Tunnel-Private-Group-Id = "508"

Tunnel-Medium-Type = IEEE-802

.Jan 16 14:44:22.237: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
.Jan 16 14:44:22.237: RADIUS: Tunnel-Private-Group[81] 5 "508"
.Jan 16 14:44:22.237: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]

 

It seems to know about the VLAN in the auth session details:

.Jan 16 14:41:08.643: AUTH-EVENT: [****.****.****, Gi0/2] vlan for the session is updated with 508
show authentication sessions interface gigabitEthernet 0/2 details
Interface: GigabitEthernet0/2
MAC Address: ****.****.****.****
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: AD\wbargent
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: 10800s (local), Remaining: 10784s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 284s
Session Uptime: 21s
Common Session ID: AC1E0115000000C6446DEB93
Acct Session ID: 0x00000038
Handle: 0x73000085
Current Policy: POLICY_Gi0/2
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 508
Method status list:
Method State
dot1x Authc Success

 

And my config:

aaa new-model
!
aaa group server radius packetfence
server name packetfence
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group packetfence
aaa server radius dynamic-author
client 195.195.88.48 server-key 7 secretkey
!
aaa session-id common
authentication mac-move permit
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan 500
name SW-Management
!
vlan 508
name "Wired"
!
interface GigabitEthernet0/2
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer restart 10800
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan500
description "Switch Management Network"
ip address 129.168.2.5 255.255.255.0
no ip route-cache
ipv6 address **************/64
ipv6 enable
!
ip default-gateway 192.168.2.1
no ip http server
no ip http secure-server
snmp-server community snmpkey RW
snmp-server community snmpkey RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.1.5  version 2c snmpkey mac-notification snmp
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server default
!
radius server packetfence
address ipv4 192.168.1.5 auth-port 1812 acct-port 1813
key 7 secretkey
!

 

Any help would be greatly appreciated.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: 2960 802.1x Authentication VLAN Assignment

I was sent a copy of the setup config from the Aruba Clearpass config tool and something in it which I changed has now fixed my issue.

 

Config:


aaa new-model
aaa session-id common
!
radius server CPPM1
address ipv4 10.65.30.42 auth-port 1812 acct-port 1813
key L0ng&Compl5x$ecret!

!
aaa group server radius ClearPass-RADIUS
server name CPPM1

aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS
dot1x system-auth-control
aaa server radius dynamic-author
port 3799
auth-type all
client 10.65.30.42 server-key L0ng&Compl5x$ecret!

ip device tracking
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in

interface range GigabitEthernet 1/0/1 - 2
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x supplicant tx-period 15
dot1x max-reauth-req 1

 

 

Thanks for your help.

6 REPLIES 6
Rising star

Re: 2960 802.1x Authentication VLAN Assignment

change them to this

interface GigabitEthernet0/2
switchport mode access
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer restart 10800
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3

!

radius-server vsa send accounting

radius-server vsa send autho

please do not forget to rate.
Beginner

Re: 2960 802.1x Authentication VLAN Assignment

Thanks for your quick reply however still not luck.
Rising star

Re: 2960 802.1x Authentication VLAN Assignment

what log show you on the radius server?

please do not forget to rate.
Beginner

Re: 2960 802.1x Authentication VLAN Assignment

Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (94): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (93): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (91): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (92): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (95), 1 of 64 pending slots used
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: Need 2 more connections to reach min connections (3)
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (96), 1 of 63 pending slots used
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Closing connection (56): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Closing connection (57): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Closing connection (58): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Opening additional connection (59), 1 of 64 pending slots used
Jan 16 15:18:31 ME-DHL-PF1 auth[13919]: Need 1 more connections to reach min connections (3)
Jan 16 15:18:31 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (97), 1 of 62 pending slots used
Jan 16 15:18:31 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Opening additional connection (60), 1 of 63 pending slots used
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: Need 1 more connections to reach min connections (3)
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Opening additional connection (61), 1 of 62 pending slots used
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: Need 7 more connections to reach 10 spares
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (98), 1 of 61 pending slots used
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: [mac:************] Accepted user: and returned VLAN 508
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: (12507) Login OK: [************] (from client 192.168.2.5 port 50102 cli ************)
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: (12516) Login OK: [AD\wbargent] (from client 192.168.2.5 port 50102 cli ************ via TLS tunnel)
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: [mac:************] Accepted user: AD\wbargentand returned VLAN 508
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: (12517) Login OK: [AD\wbargent] (from client 192.168.2.5 port 50102 cli ************)

 

Radius Request:

User-Name = "AD\\wbargent"
NAS-IP-Address = 192.168.2.5
NAS-Port = 50102
Service-Type = Framed-User
Framed-MTU = 1522
State = 0x5fd330525eda2a397751d81c3afdfb15
Called-Station-Id = "**:**:**:**:**:**"
Calling-Station-Id = "**:**:**:**:**:**"
NAS-Port-Type = Ethernet
Event-Timestamp = "Jan 16 2019 15:03:00 GMT"
EAP-Message = 0x020900061a03
NAS-Port-Id = "GigabitEthernet0/2"
Cisco-AVPair = "service-type=Framed"
Cisco-AVPair = "audit-session-id=AC1E0115000000CC448CFFF3"
Cisco-AVPair = "method=dot1x"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "wbargent"
Realm = "default"
PacketFence-Domain = "AD"
User-Password = "******"
SQL-User-Name = "AD\\\\wbargent"

 

Radius Reply:

EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "AD\\wbargent"
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "508"
Tunnel-Medium-Type = IEEE-802
Rising star

Re: 2960 802.1x Authentication VLAN Assignment

Ahh... they look ok to me. unless you run the debug raduis command on switch.

please do not forget to rate.
Beginner

Re: 2960 802.1x Authentication VLAN Assignment

I was sent a copy of the setup config from the Aruba Clearpass config tool and something in it which I changed has now fixed my issue.

 

Config:


aaa new-model
aaa session-id common
!
radius server CPPM1
address ipv4 10.65.30.42 auth-port 1812 acct-port 1813
key L0ng&Compl5x$ecret!

!
aaa group server radius ClearPass-RADIUS
server name CPPM1

aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS
dot1x system-auth-control
aaa server radius dynamic-author
port 3799
auth-type all
client 10.65.30.42 server-key L0ng&Compl5x$ecret!

ip device tracking
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in

interface range GigabitEthernet 1/0/1 - 2
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x supplicant tx-period 15
dot1x max-reauth-req 1

 

 

Thanks for your help.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards