802.1x with VLAN assignment through MS IAS radius

What is the correct input syntax of the cisco VAS at the MS IAS?
Cisco Vendor ID = 9
- [64] Tunnel-Type = VLAN
- [65] Tunnel-Medium-Type = 802
- [81] Tunnel-Private-Group-ID = VLAN NAME
Thanks

Not sure of this but this link could be of some help : http://www.microsoft.com/windows2000/technologies/communications/ias/

Similar Messages

871 802.1x with vlan assignment aka dynamic vlan

you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
Using 12.4(6)T advanced IP.
I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
Has anybody got this to work? Any info much appreciated
Greg Turner

SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy

802.1x with VLAN assignment on Catalyst 2950T-48-SI

I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
- IEEE 802.1x with VLAN assignment
- SSHv2
- SNMPv3
The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
Thanks a lot.

SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy

802.1x with Vlan assignment and IP phone and PC

I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
However I have read that I can not enable 802.1x on a trunk port.
How could I configure this?
I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
Thanks

You should configure the port as an access port with an aux-vlan. Here's an example:
interface GigabitEthernet2/2
switchport access vlan 701
switchport mode access
switchport voice vlan 702
load-interval 30
qos trust device cisco-phone
qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
Hope this helps,

WoL over 802.1X with Vlan Assignement

Hello
I have a switch 3560, and an ACS v4
In phase of test i have an infrastructure with 802.1X PEAP with automatic VLAN assignation by the ACS according to the Machine.
My question is:
it possible to implement Wake One Lan on 802.1x with a assigantion of vlan not statics (i.e. without use of command Switchport access vlan XXX)
PS: if I do in statics the VLAN on a port Wake one Lan work without Pb with 802.1X

Ok, on interface 0/19 :
Switchport mode access
speed 100
duplex Full
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
spanning-tree portfast
The software use is like "wolcmd" with configuration of
MAC address of the PC
IP of the PC (give by DHCP reservation)
Subnet mask
Remote port Number : 7
The authentication on ACS work fine and on ACS whe have this field
[064] Tunnel-Type
value : VLAN
[065] Tunnel-Medium-Type
Value : 802.
[Tunnel-Private-Group-ID]
Value : 69
In fact, the only difference between config is assignation static or dynamic of VLAN
I don't know if this what you wan't
thanks

802.1x dynamic VLAN assignment with Radius NPS Server

I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
I have followed this documentation,
http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
that basically says to use these Radius attributes,
Tunnel-Medium-Type : 802
Tunnel-Pvt-Group-ID : My_VLAN_Number (also tried VLAN name)
Tunnel-Type : VLAN
There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
and I have also tried that,
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
My user authenticates on the port fine, but doesn't get put into a VLAN. If I add "sw acc vlan 110" then the user authenticates and then does get an IP address in that VLAN and all is well.
Anybody know how to get dynamic VLAN assignment working with NPS?
NPS on Win 2012 R2
Domain controller separate Win 2012 R2 server
Cisco 3550 switch

Hi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H

802.1x dynamic vlan assignment with acs5.0

Hi All, Can any one guide me to configure 802.1x with acs 5.0. Its totally new look and m not able to find document related to 802.1x.
Thanks

Hi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H

802.1x dynamic vlan assignment using ACS 4.2

Hi
we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
is the above scenario doable using dot1x with the ACS server?
waiting your replies
Mohamed

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

802.1x Dynamic Vlan assignment using ACS

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication based on the Network Device Group. Please refer the attached diagram

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

802.1X dyanmic VLAN assignment DHCP issue (Vista client)

I am labbing dynamic VLAN assignment and have run into a small problem. The switchport is succesfully changing to the new VLAN, but my test PC seems to get an IP address in the native data VLAN before being moved to the new dynamic assigned VLAN. So when the switch changes the VLAN the PC keeps its old IP address and nothing talks any more.
Is this a Vista issue? I thought all of these problems were just issues in XP? Do I need to tweak any interface dot1x timers?
(Cat3750 with 12.2.55 / ACS5.1. Everything else is running fine by the way.)

if i do a show run on the switchport the config hasnt changed, but i dont expect it to, as its not a permanent config change that you would want to be saved by a different admin user saving the config. You can see the debug report it is changing the VLAN:
Apr 19 09:22:56.263: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:58.604: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:22:59.560: %DOT1X-5-SUCCESS: Authentication successful for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID
Apr 19 09:22:59.568: %AUTHMGR-5-VLANASSIGN: VLAN 12 assigned to Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:59.585: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
Apr 19 09:23:00.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:23:00.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
as well as checking with the show int switchport command and it is in v12 which is the dynamically assigned vlan
DHCP server is the cat3750 for all local VLANs

802.1x dynamic vlan assignment based on MAC?

Hello,
I am using Catalyst3750 and Widows AD Authentication.
Our customers' pc is runnnig Windows (isn't 802.1x capable) that is connected to the catalyst switch.
Is it possible to dynamic assign a Vlan based on MAC?
When possible, we want to make it without using VMPS.
and, is there any document relating to the above.
Thanks a lot for you help.
Tomoyuki

Hello Tomoyuki,
which Radius Server are you using to authenticate your Clients?
For the Secure ACS you can configure a feature called "MAC-Authentication-Bypass" which fullfils your requirements.
This Feature must be configured on the Switch and on the Radius Server (which does the vlan assigment based on the MAC-Address of the Client)
An Overwiew of this feature can be found here:
http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
I hope this helps,
Kind regards,
Chris

802.1x Vlan Assignment

I am planning to implement 802.1x on a 4506 switch. The issue that i have is i have 5 user Departmental vlan on the switch. How can i configure the ACS to assigned vlan for each of my user to their respected departmental vlan? please help

That can be done, it's called "Using 802.1X with VLAN Assignment". Here is a link on cat4000 on how to configure 802.1X with VLAN assignment:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
And here is a link on Using a RADIUS Server to Assign Users to VLANs:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739
I hope this helps.

Yet another IAS + 802.1x dynamic vlan question

hello all
For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.
Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.
Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.
Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).
Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.
Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .
Yes, I included the "aaa authorization network default group radius" statement.
If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got
" Attribute 81 6 01000005 " in the debug,
all sorts of permutations.
Please Cisco, somebody --- help us out here.
The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".
Can anybody shed some light on this!

Here is working IAS settings and switch config:
Ignore-User-Dialin-Properties 4101 True
Framed-Protocol 7 PPP
Service-Type 6 Framed
Tunnel-Medium-Type 65 802
Tunnel-Pvt-Group-ID 81 102
Tunnel-Type 64 VLAN
Tunnel-Tag 4170 1
*Note that I have VLAN#, not VLAN name on attribute 81
aaa new-model
aaa authentication dot1x default group radius none
aaa authorization network default group radius none
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 300
dot1x guest-vlan 997
dot1x reauthentication
spanning-tree portfast

802.1x with ACS 4.2 (RADIUS) problem

HI all!
I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
My running config:
Building configuration...
Current configuration : 1736 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R4
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name lab.local
ip device tracking
dot1x system-auth-control
interface FastEthernet0/0
ip address 10.10.0.253 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
dot1x port-control auto
interface FastEthernet1/1
interface FastEthernet1/2
interface FastEthernet1/3
interface FastEthernet1/4
interface FastEthernet1/5
interface Vlan1
ip address 192.168.1.1 255.255.255.0
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip forward-protocol nd
no ip http server
no ip http secure-server
mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
My Radius debug information:
*Mar 1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.491: RADIUS: ustruct sharecount=2
*Mar 1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
*Mar 1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
*Mar 1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
*Mar 1 00:21:31.511: RADIUS: authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
*Mar 1 00:21:31.511: RADIUS: NAS-IP-Address      [4]   6   10.10.0.253
*Mar 1 00:21:31.511: RADIUS: NAS-Port            [5]   6   0
*Mar 1 00:21:31.511: RADIUS: Vendor, Cisco       [26] 23
*Mar 1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17 "FastEthernet1/0"
*Mar 1 00:21:31.515: RADIUS: NAS-Port-Type       [61] 6   X75                       [9]
*Mar 1 00:21:31.515: RADIUS: User-Name           [1]   6   "user"
*Mar 1 00:21:31.515: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.515: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 1 00:21:31.515: RADIUS: Framed-MTU          [12] 6   1500
*Mar 1 00:21:31.515: RADIUS: EAP-Message         [79] 11
*Mar 1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
*Mar 1 00:21:31.515: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12 [???L?m??N??=S?A?]
*Mar 1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
*Mar 1 00:21:31.555: RADIUS: authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
*Mar 1 00:21:31.555: RADIUS: EAP-Message         [79] 28
*Mar 1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC [??????????&?R?C?]
*Mar 1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
*Mar 1 00:21:31.555: RADIUS: State               [24] 27
*Mar 1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
*Mar 1 00:21:31.559: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E ["???D????,?B????]
*Mar 1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
*Mar 1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
*Mar 1 00:21:31.587: RADIUS: ustruct sharecount=1
*Mar 1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
*Mar 1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
*Mar 1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
*Mar 1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
*Mar 1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
*Mar 1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
*Mar 1 00:21:31.591: RADIUS: authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
*Mar 1 00:21:31.595: RADIUS: NAS-IP-Address      [4]   6   10.10.0.253
*Mar 1 00:21:31.595: RADIUS: NAS-Port            [5]   6   0
*Mar 1 00:21:31.595: RADIUS: Vendor, Cisco       [26] 23
*Mar 1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17 "FastEthernet1/0"
*Mar 1 00:21:31.595: RADIUS: NAS-Port-Type       [61] 6   X75                       [9]
*Mar 1 00:21:31.595: RADIUS: User-Name           [1]   6   "user"
*Mar 1 00:21:31.595: RADIUS: Calling-Station-Id [31] 19 "08-00-27-B1-B3-32"
*Mar 1 00:21:31.595: RADIUS: Service-Type        [6]   6   Framed                    [2]
*Mar 1 00:21:31.595: RADIUS: Framed-MTU          [12] 6   1500
*Mar 1 00:21:31.595: RADIUS: State               [24] 27
*Mar 1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B [EAP=0.1ff.986.1;]
*Mar 1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
*Mar 1 00:21:31.595: RADIUS: EAP-Message         [79] 28
*Mar 1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC [?????????9?)????]
*Mar 1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
*Mar 1 00:21:31.595: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13 [3W??\$??g?????t?]
*Mar 1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
*Mar 1 00:21:31.731: RADIUS: authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
*Mar 1 00:21:31.735: RADIUS: Framed-IP-Address   [8]   6   255.255.255.255
*Mar 1 00:21:31.735: RADIUS: EAP-Message         [79] 6
*Mar 1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
*Mar 1 00:21:31.735: RADIUS: Tunnel-Type         [64] 6   01:VLAN                   [13]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Medium-Type [65] 6   01:ALL_802                [6]
*Mar 1 00:21:31.739: RADIUS: Tunnel-Private-Group[81] 6   01:"100"
*Mar 1 00:21:31.739: RADIUS: Class               [25] 22
*Mar 1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30 [CACS:0/5b1/a0a00]
*Mar 1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
*Mar 1 00:21:31.739: RADIUS: Message-Authenticato[80] 18
*Mar 1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26 [u?????l?M\?P???&]
*Mar 1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
*Mar 1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
As a result the vlan-switch data based does not change.
Any help will be appreciated!
Thanks a lot,
Chelovekov Alexander

I've tried multiple ways to cope with this problem but nothing was helpfull...
Tunnel-Medium-Type [65] 6   01:ALL_802
I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
Screenshot n attachment.
The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair) - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
What am i missing?

Dynamic vlan assignment with 1242AG and IAS not working

I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. Any suggestions?
IAS and AD is running on Windows Server 2003
Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately, ie:
Tunnel-Medium-Type > 802
Tunnel-Pvt-Group-ID > vlanid
Tunnel-Type > VLAN
On the AP:
Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
I see I don't have that line "aaa authorization network default group rad_eap",
So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
Thanks,
Jason

802.1x with VLAN assignment through MS IAS radius

Similar Messages

Maybe you are looking for