802.1x default VLAN

Similar Messages

• Yet another IAS + 802.1x dynamic vlan question

  hello all
  For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.
  Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.
  Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.
  Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).
  Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.
  Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .
  Yes, I included the "aaa authorization network default group radius" statement.
  If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got
  " Attribute 81 6 01000005 " in the debug,
  all sorts of permutations.
  Please Cisco, somebody --- help us out here.
  The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".
  Can anybody shed some light on this!

  Here is working IAS settings and switch config:
  Ignore-User-Dialin-Properties 4101 True
  Framed-Protocol 7 PPP
  Service-Type 6 Framed
  Tunnel-Medium-Type 65 802
  Tunnel-Pvt-Group-ID 81 102
  Tunnel-Type 64 VLAN
  Tunnel-Tag 4170 1
  *Note that I have VLAN#, not VLAN name on attribute 81
  aaa new-model
  aaa authentication dot1x default group radius none
  aaa authorization network default group radius none
  aaa accounting dot1x default start-stop group radius
  dot1x system-auth-control
  interface FastEthernet0/1
  switchport access vlan 100
  switchport mode access
  dot1x port-control auto
  dot1x timeout reauth-period 300
  dot1x guest-vlan 997
  dot1x reauthentication
  spanning-tree portfast

• 802.1x Dynamic VLAN Switching Question

  Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.
  Environment:
  ACS Express 5.0.1
  C3550 running c3550-ipbasek9-mz.122-44.SE6.bin
  Switch config:
  aaa new-model
  aaa group server radius dot1x
  server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541
  aaa authentication dot1x default group dot1x
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  interface FastEthernet0/3
  switchport access vlan 3
  switchport mode access
  speed 100
  duplex full
  dot1x pae authenticator
  dot1x port-control auto
  dot1x violation-mode protect
  dot1x timeout tx-period 5
  dot1x timeout supp-timeout 5
  spanning-tree portfast
  ip radius source-interface FastEthernet0/1 vrf default!
  radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
  Am I missing something easy?

  It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.
  The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"

• What is difference between Default VLAN and Native VLAN?

  Answer

  Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance.
  You can't change or even delete the default VLAN, it is mandatory.
  The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
  Per default the native VLAN is VLAN 1 but you can change that:
  #show interface Fa0/8 trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Fa0/8       on               802.1q         other         1
  (config-if)#switchport trunk native vlan 2
  (config-if)#do show interface f0/8 trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Fa0/8       on               802.1q         other         2
  The default VLAN is still VLAN 1.
  #show vlan id 1
  VLAN Name Status    Ports
  1    default active    Fa0/8, Gi0/1
  HTH
  Rolf

• How to get rid of 802.1x 'Default Authentication'?

  Hi All,
  Everytime I close my MBP's lid, put it to sleep, or simply turn it on...  My wifi is no longer connected.
  this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
  Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
  And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
  There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
  After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
  Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
  Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
  It would be very very much appreciated! Thank You!
  PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
  Don't really understand it though. Please explain if you could. Cheers 

  Realized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
  What I had to do was place it in first priority again in Network settings.
  Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
  Also attached above is the picture that for some strange reason disappeared in the original post..

• 802.1x with VLAN assignment on Catalyst 2950T-48-SI

  I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
  - IEEE 802.1x with VLAN assignment
  - SSHv2
  - SNMPv3
  The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
  If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
  Thanks a lot.

  SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
  802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
  SNMPv3 is supported.
  HTH
  Andy

• 871 802.1x with vlan assignment aka dynamic vlan

  you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
  I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
  Using 12.4(6)T advanced IP.
  I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
  Has anybody got this to work? Any info much appreciated
  Greg Turner

  SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
  802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
  SNMPv3 is supported.
  HTH
  Andy

• Management and Default VLAN

  Hi All
  I need advice.
  At my former office, we used to have another vlan e.g. vlan 10 for management vlan purpose so that we do not use default VLAN 1 to access the switches which i think is good for security purpose.
  Now how can I convince my present company that it is the best way to go as they have only vlan 1 for management purposes but then use another vlan say vlan 189 for all unused port which alas, they do not keep to, so invariably, we have ports in vlan 1 and 99 and every where
  Is there a doc whereby I can show them why it is best to have a different management vlan from default vlan.?
  Thanks

  Hi, here is a link that gives a little explanation on Precautions for the use of default management vlan.
  Refer to "Precautions for the Use of VLAN 1" section.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp38986

• SRW224G4P only work on default VLAN 1

  I have a SRW224G4P linksys switch with the following configuration.
  VLAN 10 (untagged) excluded for port 1,2
  VLAN 100 (tagged) included for port 1,2
  VLAN 200 (untagged) included for port 1,2
  PVID set to 200 for port 1,2
  When I connect PCs onto port 1,2, they cannot ping each other.
  If I set the PVID for port 1,2 to 1 (the default VLAN), then it will work.
  Are there anything I missed in order to use VLAN 200 for the PCs ??
  Any input most appreciated. KL

  if admin is not accepted:
  1:launch IE
  2:click tools>>click internet options
  3:click on security tab>click customer level button
  4ut a check mark on automatic log-in with current username and password
  NOTE:make sure you click on apply button before the ok button
  and then close the internet browser and open a new one
  Last:access 192.168.1.1  with the password "admin"
  (reset router (30s)  and then shutdown 30s)
  expecting mother

• Default VLAN on SGE 2000

  Hi all,
  I would like to know if is there a way to change default VLAN on linksys sge2000?
  I would like to change default vlan 100 to vlan 1.
  Thanks.
  Regards

  why not create a new vlan and then add all the devices to the new vlan that you created. i believe that there is no way to remove the default vlan on the switch.

• Default vlan

  I hear that all ports have a default vlan, usually 1. what happens when we set a port to access port 10? Does it still have a default vlan or just vlan 10?

  I still think we do not understand each other..
  You said:
  To make it native, I will have to make the port a trunk port and add a native vlan to that, correct?
  only vlan 1 is called native vlan, other vlan are not native. (You can only use native word with vlan 1).
  if you add two vlan to a port then its not called a native port ...it just a trunk port.
  I think this is wrong, if it is not I am sorry:
  We agree that a trunk port can have a native vlan. But on the trunk we can make whatever vlan we want native. How can you say we can only use the word native with vlan 1?

• Change Default VLAN on SRW2008P

  I have an SRW2008P switch I am trying to connect to my Layer3 network, which is all CIsco 3560 IOS.  i think the default vlan for cisco is 100 but the default vlan for linksys is 1.  I have port 8 on the SRW2008P connected to my cisco network and have it set as trunk on both sides.  I have the vlan 100 set as untagged on the SRW2008P.  Also, I have my user/mgt vlan 19 set as a tagged interface on the SRW2008P.  Now, when I set the Management VLAN on the SRW2008P to 19, I am not able to communicate with the switch at all from my 3560, no ping, http, etc.   My only idea is that the default vlan on the SRW2008P needs to be 100, not 1, is there a way to change that?  Am I missing some other step? 

  As per Linksys documentation, the default or native VLAN cannot be changed.
  I would prefer setting up one of the ports on the SRW2008P as TRUNK. Create VLAN 100, member ports to VLAN100 including the TRUNK port and check if that would work.
  Hope this helps!

• What steps are needed to untag default vlan to gigabit port on SRW208P

  We have VLAN 1 disabled on our standard Cisco Catalyst switches and use VLAN 11 as our default.  We have recently added VLAN 221 for voice while implementing a new Cisco UC system.  I can't seem to disable VLAN1, however, I have made the default VLAN 11 and Voice VLAN 221.  In VLAN Management, I can untag VLAN 11 (PVID) on all ports but the Gigabit port connecting to the Cisco 6506.  That port always tags VLAN 11 & 221 and untag (PVID) VLAN 1. 
  I have tried making changes to the switch while connected to the switch and when I make the setting, the switch loses connection to the 6506.  If I make the appropriate changes to GI(1) while connected to GI(2), that change takes effect, however, when I move the patch cable to GI(1), the port configuration changes and VLAN 11 becomes tagged and VLAN1 becomes untagged. 
  What is needed to stop this from happening? 

  Hi, I do not support the UC500 model so I can only give information to the switch. The older ESW, SX300 and SX500 series were designed to plug and play to the UC300/500 series for basically zero configuration.
  To my knowledge (which I can be very wrong!!!!!) The UC500 uses vlan 1 data, vlan 100 by default and it usually doesn't deviate this.
  You may disable the smart port and auto voice vlan features, yes. However, this means you need to manually configure your ports or use the telephony OUI features.
  I can outline how to disable the smart port and avoid using auto voice vlan, however, it would be most prudent for you to call the UC500 support to 100% ensure there is not a better way to manage via way of the UC platform.
  If you could please call the SBSC and verify there is nothing better to be done then I would be happy to further assist
  http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  -Tom

• 802.1x Dynamic VLans

  I'm trying to figure out a way to get to 802.1x and Dynamic Vlans.
  I have all types of devices, some login into windows AD some don't.
  Is this possilbe?
  port is setup to use 802.1x. Radius server first checks against AD, then checks for MAC address, if no conditions are met ports is set to a catch all type VLAN and starts forwarding.
  Something like:
  1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
  2. A printer is connected and assigned to a printer VLan.
  3. A guest connects and is assigned to a guest VLan.
  I like to not have to put MAC addresses in for PCs that are members of the the windows domain.

  Hi
  Please find the answers inline:
  1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
  This is possible by using RADIUS extended attributes, to assign VLAN dynamically.. for this to work ,you need to define the radius server host & key on the switch/NAD. then enable dot1x on the switchport, to force authentication through RADIUS.. you can have a NAC client to key-in your AD username/password..  You would need to configure your RADIUS server to send vendor-specific attributes:
  –[64] Tunnel-Type = VLAN
  –[65] Tunnel-Medium-Type = 802
  –[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
  refer to CCO for more info on how the ACS server is configured for sending this info... apart from this on the switch configure "radius-server host x.x.x.x auth-port 1612 key *****" and the appropriate aaa commands to force dot1x to refer to RADIUS "aaa authentication dot1x default radius"
  2. A printer is connected and assigned to a printer VLan.
  For printers, or any non-dot1x compliant device, its general to use MAC authentication Bypass feature.. by doing this we can make sure the ports connecting to printers use the default "Switchport access vlan " configuration on these ports.. with MAB, we add the MAC address of the printer on the ACS server (with pw as mac-address) and make sure the printer is authenticated via the switch.. if you dont want to use MAC address for bypassing dot1x, you can probably disable dot1x on such ports.. similar methodology can be adopted for Servers, which wouldnt need dot1x.. since there are few printers & servers on networks, you can disable dot1x on these ports...
  3. A guest connects and is assigned to a guest VLan.
  This is achieved by using the guest-vlan feature.. guests who dont have dot1x client, will be put on a seperate isolated VLAN called guest vlan.. you can create a vlan say vlan  99 on the switch for guests, and on the switchport configure "dot1x guest-vlan 99" .. this would make sure the guests  are seperated and isolated.. make sure you have vlan ACLs on VLAN 99 to restrict traffic for guest users only to internet, or place them behind DMZ of firewalls... you also have "authentication failure" VLAN which you can enable for production users when they fail authentication...
  Refer to this Guide.. it has all information about 802.1x on switches...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1270660
  Hope this helps.. all the best..
  Raj

• Wlc2112-k9 802.1x dynamic vlans on multiple ports

  I have a wlc2112-k9. I have succesfully setup a WLAN with 802.1x authentication and dynamic VLAN assignment. The issue I have (and maybe it isn't an issue and just the way the controller works) is that if the vlan interfaces I have defined are connected to different ports from which the default interface for the WLAN it doesn't work.
  So for instance, I create my WLAN and set the interface to the management interface (which is connected to port 1). I then define all my other vlan interfaces that could be returned by my radius server.
       ex: vlan_102 connected to port 2
             vlan_104 connected to port 3
             vlan_106 connected to port 4
  And so forth.
  Port 1 is configured on the switch on vlan 21. If the radius server returns a VLAN ID of 102, 104 or 106 my client successfully connects to the WLAN but it gets put on VLAN 21. However if I move the vlan interfaces above over to port 1 the client correctly gets put on the correct VLAN.
  All ports on the switch are configured as trunk with the native vlan set to the corresponding value that is set on the WLC.
  Is this just the way the controller functions? That it can't assign a client to a different interface that is connected to a different port from the default one setup when the WLAN is created? I would have just though that if the radius server returned VLAN 102 that it would find that interface and connect the user session via that interface regardless of the port it is configured on.
  Thanks

  dynamic vlan assignment should work with the controller
  by returing the standard IETF attributes
  64,65, and 81
  You said that you have configured the native vlan on each trunk port to be exactly the same as the vlan assigned to dynamic interface on the neighbor controller port. Make sure to have the native vlan something else specially i guess that you have tagged the vlans on those dynamic interfaces.
  Please make sure to rate correct answers