cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4463
Views
5
Helpful
6
Replies

2960 802.1x Authentication VLAN Assignment

williambargent
Level 1
Level 1

Hi,

I have been having issues getting 802.1x VLAN Assignment working on my 2960. I'm using PacketFence and I can see it sending back the radius response in the switch logs:

Tunnel-Type = VLAN

Tunnel-Private-Group-Id = "508"

Tunnel-Medium-Type = IEEE-802

.Jan 16 14:44:22.237: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
.Jan 16 14:44:22.237: RADIUS: Tunnel-Private-Group[81] 5 "508"
.Jan 16 14:44:22.237: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]

 

It seems to know about the VLAN in the auth session details:

.Jan 16 14:41:08.643: AUTH-EVENT: [****.****.****, Gi0/2] vlan for the session is updated with 508
show authentication sessions interface gigabitEthernet 0/2 details
Interface: GigabitEthernet0/2
MAC Address: ****.****.****.****
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: AD\wbargent
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: 10800s (local), Remaining: 10784s
Timeout action: Reauthenticate
Restart timeout: N/A
Periodic Acct timeout: 300s (local), Remaining: 284s
Session Uptime: 21s
Common Session ID: AC1E0115000000C6446DEB93
Acct Session ID: 0x00000038
Handle: 0x73000085
Current Policy: POLICY_Gi0/2
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 508
Method status list:
Method State
dot1x Authc Success

 

And my config:

aaa new-model
!
aaa group server radius packetfence
server name packetfence
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group packetfence
aaa server radius dynamic-author
client 195.195.88.48 server-key 7 secretkey
!
aaa session-id common
authentication mac-move permit
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan 500
name SW-Management
!
vlan 508
name "Wired"
!
interface GigabitEthernet0/2
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer restart 10800
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan500
description "Switch Management Network"
ip address 129.168.2.5 255.255.255.0
no ip route-cache
ipv6 address **************/64
ipv6 enable
!
ip default-gateway 192.168.2.1
no ip http server
no ip http secure-server
snmp-server community snmpkey RW
snmp-server community snmpkey RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 192.168.1.5  version 2c snmpkey mac-notification snmp
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
!
radius server default
!
radius server packetfence
address ipv4 192.168.1.5 auth-port 1812 acct-port 1813
key 7 secretkey
!

 

Any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

I was sent a copy of the setup config from the Aruba Clearpass config tool and something in it which I changed has now fixed my issue.

 

Config:


aaa new-model
aaa session-id common
!
radius server CPPM1
address ipv4 10.65.30.42 auth-port 1812 acct-port 1813
key L0ng&Compl5x$ecret!

!
aaa group server radius ClearPass-RADIUS
server name CPPM1

aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS
dot1x system-auth-control
aaa server radius dynamic-author
port 3799
auth-type all
client 10.65.30.42 server-key L0ng&Compl5x$ecret!

ip device tracking
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in

interface range GigabitEthernet 1/0/1 - 2
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x supplicant tx-period 15
dot1x max-reauth-req 1

 

 

Thanks for your help.

View solution in original post

6 Replies 6

change them to this

interface GigabitEthernet0/2
switchport mode access
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 10800
authentication timer restart 10800
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3

!

radius-server vsa send accounting

radius-server vsa send autho

please do not forget to rate.

Thanks for your quick reply however still not luck.

what log show you on the radius server?

please do not forget to rate.

Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (94): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (93): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (91): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Closing connection (92): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (95), 1 of 64 pending slots used
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: Need 2 more connections to reach min connections (3)
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (96), 1 of 63 pending slots used
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Closing connection (56): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Closing connection (57): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Closing connection (58): Hit idle_timeout, was idle for 926 seconds
Jan 16 15:18:30 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Opening additional connection (59), 1 of 64 pending slots used
Jan 16 15:18:31 ME-DHL-PF1 auth[13919]: Need 1 more connections to reach min connections (3)
Jan 16 15:18:31 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (97), 1 of 62 pending slots used
Jan 16 15:18:31 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Opening additional connection (60), 1 of 63 pending slots used
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: Need 1 more connections to reach min connections (3)
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: rlm_rest (rest): Opening additional connection (61), 1 of 62 pending slots used
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: Need 7 more connections to reach 10 spares
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: rlm_sql (sql): Opening additional connection (98), 1 of 61 pending slots used
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: [mac:************] Accepted user: and returned VLAN 508
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: (12507) Login OK: [************] (from client 192.168.2.5 port 50102 cli ************)
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: (12516) Login OK: [AD\wbargent] (from client 192.168.2.5 port 50102 cli ************ via TLS tunnel)
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: [mac:************] Accepted user: AD\wbargentand returned VLAN 508
Jan 16 15:18:35 ME-DHL-PF1 auth[13919]: (12517) Login OK: [AD\wbargent] (from client 192.168.2.5 port 50102 cli ************)

 

Radius Request:

User-Name = "AD\\wbargent"
NAS-IP-Address = 192.168.2.5
NAS-Port = 50102
Service-Type = Framed-User
Framed-MTU = 1522
State = 0x5fd330525eda2a397751d81c3afdfb15
Called-Station-Id = "**:**:**:**:**:**"
Calling-Station-Id = "**:**:**:**:**:**"
NAS-Port-Type = Ethernet
Event-Timestamp = "Jan 16 2019 15:03:00 GMT"
EAP-Message = 0x020900061a03
NAS-Port-Id = "GigabitEthernet0/2"
Cisco-AVPair = "service-type=Framed"
Cisco-AVPair = "audit-session-id=AC1E0115000000CC448CFFF3"
Cisco-AVPair = "method=dot1x"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Stripped-User-Name = "wbargent"
Realm = "default"
PacketFence-Domain = "AD"
User-Password = "******"
SQL-User-Name = "AD\\\\wbargent"

 

Radius Reply:

EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "AD\\wbargent"
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "508"
Tunnel-Medium-Type = IEEE-802

Ahh... they look ok to me. unless you run the debug raduis command on switch.

please do not forget to rate.

I was sent a copy of the setup config from the Aruba Clearpass config tool and something in it which I changed has now fixed my issue.

 

Config:


aaa new-model
aaa session-id common
!
radius server CPPM1
address ipv4 10.65.30.42 auth-port 1812 acct-port 1813
key L0ng&Compl5x$ecret!

!
aaa group server radius ClearPass-RADIUS
server name CPPM1

aaa authentication dot1x default group ClearPass-RADIUS
aaa authorization network default group ClearPass-RADIUS
aaa accounting dot1x default start-stop group ClearPass-RADIUS
dot1x system-auth-control
aaa server radius dynamic-author
port 3799
auth-type all
client 10.65.30.42 server-key L0ng&Compl5x$ecret!

ip device tracking
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 11 default direction in

interface range GigabitEthernet 1/0/1 - 2
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x supplicant tx-period 15
dot1x max-reauth-req 1

 

 

Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: