Solved: Re: Dynamic Vlan assignment in wired network - NPS 2012 server

ITexpert · ‎03-15-2018

Hello Guys,

I am in my lab environment, I have Cisco 800 series router and L2 cisco 2960G switch. I configure Intervlan Routing through switch and Microsoft 2012 server as a DHCP,DNS, AD and NPS server.

Everything is working great except Dynamic vlan assignment.I followed this link to implement it.

https://mikepembo.wordpress.com/2016/11/07/dynamic-vlan-assignment-cisco-and-nps/comment-page-1/

I have a questions :

1. where aaa commands should be configure , On a Router or Switch ?

I configure everything on switch but its not working.

Thanks

Deepak Kumar · ‎03-16-2018

Hi,

Follow the below command:

ip access-list extended 101

10 permit udp <subnet> <Wildmask> host <radius-server-IP> range 1812 1813

20 deny ip <subnet> <Wildmask> <subnet> <Wildmask>

30 permit ip any any

1812, and 1813 are radius port number, maybe use chose as 1645 and 1646.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

ITexpert · ‎03-19-2018

Hello Deepak,

Its working now, I just move that port from multi-host mode to single host mode.

View solution in original post

Deepak Kumar · ‎03-15-2018

Hi,

AAA commands must be configured on the switch as authorization and authentication.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

ITexpert · ‎03-15-2018

Hello Deepak,

I configure all the commands on the switch but still no success.

Any other suggestions ?

The link i am following, mention that aaa server should be configure where SVI's are configured.

Do we also need to be configure Connection Request Policy in NPS ?

Thanks

Deepak Kumar · ‎03-15-2018

Hi,

I am sharing a demo switch configuration with you as:

dot1x system-auth-control

!

aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
!

interface GigabitEthernet1/0/1
switchport mode access
authentication host-mode multi-host
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast

!

and your basic configuration as VLAN and radius server.

NAS server configuration:

Configure connection request policy and define the condition as"NAS port type ethernet"

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

ITexpert · ‎03-15-2018

Hello Deepak,

after configuring these commands, I got two logs in NPS server.

1. LDAP connection is made to AD.

2. After that it shows timed out and PC doesn't get IP.

BUT

when i Login with other username that is not include NPS policy then it show me message that access is denied.

but its not showing anything for people who are in group, just keep authenticating.

Thanks

Deepak Kumar · ‎03-15-2018

Hi,
Can you share the NTP logs and debug dot1x output.

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

ITexpert · ‎03-15-2018

Hello Deepak,

Its working now but i want to accomplish like this that initially brand new PC before login by any user goes to vlan that is assigned manually , but after longing vlan changes with NPS server and if user is not part of policy it should swapped to guest vlan.

Please help me with commands.

Guest vlan is already configured in my network and its is isolated.

Deepak Kumar · ‎03-15-2018

Hi,

It is recommended to configure timeout and retry for Dot1x authentication:

dot1x timeout quiet-period 10  ! wait 10 seconds between auth requests
dot1x timeout tx-period 5 ! wait 5 seconds to hear EAP from the client
dot1x max-req 1 ! quit trying to re-authenticate after 1 try

and guest VLAN configuration as:

interface GigabitEthernet1/0/2
switchport mode access

switchport access vlan <ID> <defautl VLAN for radius authentication only>
authentication event fail action authorize vlan <ID> <defautl VLAN for radius authentication only>
authentication event no-response action authorize vlan <ID> <Guest VLAN ID>

dot1x guest-vlan <ID> <Guest VLAN ID>

dot1x auth-fail vlan <ID> <Guest VLAN ID>

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

ITexpert · ‎03-15-2018

Thanks Alot Deepak, You make my life easier at my new workplace.

ITexpert · ‎03-15-2018

Hello Deepak,

After configuring these commands

int g0/11

Switch port mode access

switch port access vlan 10 (data vlan)

authentication event fail action authorize vlan 40 (Guest vlan) as we want PCs move to guest vlan if it fails by NPS server

authentication event no-response action authorize vlan 40 (Guest vlan)

dot1x guest-vlan supplicant (This command does not work with Vlan ID)

dot1x auth-fail vlan <ID> 2960G IOS does not support this command

PROBLEM: As Guest vlan is isolated vlan, so after rebooting PC if once i login with unauthorized User it goes to Guest vlan but as guest vlan is not abe to reach NPS server so after signing out and sign back with authorise user , IP address got stuck there.

please help me with solution.

Thanks.

Deepak Kumar · ‎03-16-2018

Hi,

Guest VLAN must have access to NPS server.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

ITexpert · ‎03-16-2018

So i want to open 192.168.40.0 (Guest subnet) to reach NPS server (192.168.40.99) for only ports 1645, 1646 as these are ports used by switch to get authenticated and authorized by NPS server.

Right Now i am Isolating Guest subnet by using these commands:

acccess-list 101 deny ip source destination

access-list 101 permit ip any

I dont know to use two ACLS in a single SVI interface.

Can you please help more ?

Thanks

Deepak Kumar · ‎03-16-2018

Hi,

Follow the below command:

ip access-list extended 101

10 permit udp <subnet> <Wildmask> host <radius-server-IP> range 1812 1813

20 deny ip <subnet> <Wildmask> <subnet> <Wildmask>

30 permit ip any any

1812, and 1813 are radius port number, maybe use chose as 1645 and 1646.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

ITexpert · ‎03-16-2018

DO i need to add this access-group as IN or OUT in guest interface ?

I added in but still i can these any movement of packets from switch towards NPS server.

ITexpert · ‎03-16-2018

Hello Deepak,

Even after opening all ports from guest vlan to NPS server, Switch does not send any Authentication Packets to NPS server once it gets guest IP. I able to ping the NPS server from guest vlan.

So i think its something from switch config.

I have these commands in interface:

switchport mode access

switchport access vlan 10 (data vlan)

authentication event fail action authorize vlan 40 (guest vlan)

authentication event no-response action authorize vlan 40 (guest vlan)

authentication host-mode multihost

aithentication port-control auto

dot1x pae authenticator

spanning-tree portfast

Thanks