871 802.1x with vlan assignment aka dynamic vlan

you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
Using 12.4(6)T advanced IP.
I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
Has anybody got this to work? Any info much appreciated
Greg Turner

SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy

Similar Messages

802.1x and wired dynamic vlans on MAC addresses

Hi All,
I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
I've done some reading but am really struggling to find the information I need.
We have a Windows domain and brand new 3850 Cisco switches.
Can anyone steer me in the right direction (or tell me how to do it!) please?
Thanks for reading.

Hi,
So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned.
Tunnel-Type. Select Virtual LANs (VLAN).
You can find more information here:
Configure a Network Policy for VLANs
VLAN Attributes Used in Network Policy
802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
HTH.

Wlc2112-k9 802.1x dynamic vlans on multiple ports

I have a wlc2112-k9. I have succesfully setup a WLAN with 802.1x authentication and dynamic VLAN assignment. The issue I have (and maybe it isn't an issue and just the way the controller works) is that if the vlan interfaces I have defined are connected to different ports from which the default interface for the WLAN it doesn't work.
So for instance, I create my WLAN and set the interface to the management interface (which is connected to port 1). I then define all my other vlan interfaces that could be returned by my radius server.
     ex: vlan_102 connected to port 2
           vlan_104 connected to port 3
           vlan_106 connected to port 4
And so forth.
Port 1 is configured on the switch on vlan 21. If the radius server returns a VLAN ID of 102, 104 or 106 my client successfully connects to the WLAN but it gets put on VLAN 21. However if I move the vlan interfaces above over to port 1 the client correctly gets put on the correct VLAN.
All ports on the switch are configured as trunk with the native vlan set to the corresponding value that is set on the WLC.
Is this just the way the controller functions? That it can't assign a client to a different interface that is connected to a different port from the default one setup when the WLAN is created? I would have just though that if the radius server returned VLAN 102 that it would find that interface and connect the user session via that interface regardless of the port it is configured on.
Thanks

dynamic vlan assignment should work with the controller
by returing the standard IETF attributes
64,65, and 81
You said that you have configured the native vlan on each trunk port to be exactly the same as the vlan assigned to dynamic interface on the neighbor controller port. Make sure to have the native vlan something else specially i guess that you have tagged the vlans on those dynamic interfaces.
Please make sure to rate correct answers

ACS + VMWare thin clients with dynamic vlans

Good afternoon,
I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
Can I do this using only de ACS? Will it work?
Thank you

Hi,
Dynamic Vlan assignment can be configure on the ACS.
Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
http://tinyurl.com/2oxg32
If you have any doubts do not hesitate to contact me

802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

802.1x authetication with dynamic Vlan assignment by a radius server

Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.

Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra

802.1x dynamic VLAN assignment with Radius NPS Server

I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
I have followed this documentation,
http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
that basically says to use these Radius attributes,
Tunnel-Medium-Type : 802
Tunnel-Pvt-Group-ID : My_VLAN_Number (also tried VLAN name)
Tunnel-Type : VLAN
There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
and I have also tried that,
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
My user authenticates on the port fine, but doesn't get put into a VLAN. If I add "sw acc vlan 110" then the user authenticates and then does get an IP address in that VLAN and all is well.
Anybody know how to get dynamic VLAN assignment working with NPS?
NPS on Win 2012 R2
Domain controller separate Win 2012 R2 server
Cisco 3550 switch

Hi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H

802.1x dynamic vlan assignment with acs5.0

Hi All, Can any one guide me to configure 802.1x with acs 5.0. Its totally new look and m not able to find document related to 802.1x.
Thanks

Hi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H

WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include        /etc/openldap/schema/corba.schema
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/duaconf.schema
include        /etc/openldap/schema/dyngroup.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/java.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/ppolicy.schema
include        /etc/openldap/schema/collective.schema
#Radius include
include        /etc/openldap/schema/radius.schema
#Samba include
#include        /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database    bdb
#dn suffix, domain components read in order
suffix        "dc=cisco,dc=com"
checkpoint    1024 15
#root container node defined
rootdn        "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory    /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index uid,memberUid                     eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
         by dn.exact="cn=Manager,dc=cisco,dc=com" read
         by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem    Tunnel-Type                                   radiusTunnelType
replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem    Cleartext-Password    userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{      default_eap_type = peap      ..... }
tls {
    #I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
    default_eap_type = mschapv2
    #you will have to set this to allowed the inner tls tunnel attributes into the final accept message
    use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{      ldap      mschap      ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter = "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{   eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr"   password="ggsg" \#If you want to verify the Server certificate the below would be needed   \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2"   }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

Dynamic vlan assignment with 1242AG and IAS not working

I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. Any suggestions?
IAS and AD is running on Windows Server 2003
Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately, ie:
Tunnel-Medium-Type > 802
Tunnel-Pvt-Group-ID > vlanid
Tunnel-Type > VLAN
On the AP:
Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
I see I don't have that line "aaa authorization network default group rad_eap",
So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
Thanks,
Jason

RDP with 802.1x, machine and user auth and dynamic VLAN

Hi,
we have 802.1x implemented with machine and user auth. We also use dynamic VLAN assignment. Our client is AnyConnect 3.1. Operating system is Windows 7. With Windows XP, it works just fine.
When we try to connect to the 802.1x auth desktop with RDP (desktop is machine authenticated, no user is logged in), we are able to authenticate but as soon as VLAN and IP address changes according to user authentication profile, RDP session is terminated. It is not just disconnected but remote user is logged out and AnyConnect reverts 802.1x session back to machine VLAN. We cannot login with RDP and just loop between machine-user-machine authentication.
With this behavior the TermDD message (ID 56) can be seen in system log. Following the response
http://social.technet.microsoft.com/Forums/windows/en-US/b7814ec3-6a49-469c-8773-909c50415942/the-rdp-protocol-component-x224-detected-an-error-in-the-protocol-stream-and-has-disconnected-the
, I was able to get rid of TermDD message but I still loop in machine-user-machine authentication.
The following is TermDD message:
+
System
Provider
[ Name]
TermDD
EventID
56
[ Qualifiers]
49162
Level
2
Task
0
Keywords
0x80000000000000
TimeCreated
[ SystemTime]
2013-06-10T09:25:28.515308700Z
EventRecordID
26643
Channel
System
Computer
XTCSSPWA03.cen.csint.cz
Security
EventData
\Device\Termdd
10.190.64.208
0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000410200D0
Binary data:
In Words
0000: 00040000 002C0002 00000000 C00A0038
0008: 00000000 C00A0038 00000000 00000000
0010: 00000000 00000000 D0000241
In Bytes
0000: 00 00 04 00 02 00 2C 00    ......,.
0008: 00 00 00 00 38 00 0A C0   ....8..À
0010: 00 00 00 00 38 00 0A C0   ....8..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: 41 02 00 D0               A..Ð
Also AnyConnect shows that upon successful authentication and DHCP operation, it catches some exception and reverts back from user to machine VLAN:
3876: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: Authentication Success
3877: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} canceling existing DHCP work
3878: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} stop
3879: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA38), dataLen(0) (cimdIo.cpp 2156)
3880: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3881: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} creating a new DHCP work
3882: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: CancelCmd [state: COMPLETE]
3883: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: DHCP: Sending DHCP request
3884: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: queueing DHCP work
3885: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} start
3886: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA3C), dataLen(2) (cimdIo.cpp 2156)
3887: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) data follows ... (cimdIo.cpp 2159)
3888: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      08 06                                                .. (cimdIo.cpp 2159)
3889: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3890: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) pEthTypes data follows ... (cimdIo.cpp 2273)
3891: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3)      06 08                                                .. (cimdIo.cpp 2273)
3892: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connect {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} starting
3893: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: StartCmd [state: COMPLETE]
3894: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
3895: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
3898: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine current state = ACCESS_CONNECTED, received adapterState = authenticated
3899: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: port authentication succeeded
3900: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine new state = ACCESS_CONNECTED
3901: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Cancel event [state: COMPLETE]
3902: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: COMPLETE -> INIT
3903: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Get-Connectivity event [state: INIT]
3904: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: INIT -> WAIT_FOR_CONNECTIVITY
3905: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: IN_PROGRESS
3906: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: GetConnectiviyCmd [state: WAIT_FOR_CONNECTIVITY]
3907: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
3908: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Check-Connectivity event [state: WAIT_FOR_CONNECTIVITY]
3909: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: (initial) ipCfg: IP:10.190.95.74(255.255.255.248) GW:10.190.64.1
3910: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: TestConnectivityCmd [state: WAIT_FOR_CONNECTIVITY]
3911: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: API (3) event: complete (portWorkList.c 130)
80: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1524]: Tx CP Msg: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ssc="http://www.cisco.com/ssc" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <networkStateEvent>   <sequenceNumber>19</sequenceNumber>   <groupName>Local networks</groupName>   <networkName>CS-wired-pass</networkName>   <networkState>AcquiringIpAddress</networkState>   <adapterName>Broadcom NetXtreme Gigabit Ethernet</adapterName>   <serverVerifiedName>ise-2.csint.cz</serverVerifiedName> </networkStateEvent> </SOAP-ENV:Body></SOAP-ENV:Envelope>
3912: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: PORT (3) port: ARP_REQ (portMsg.c 731)
3913: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_SEND, ifIndex(1), pData(0x024EEB40), dataLen(64) (cimdIo.cpp 2156)
3914: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) data follows ... (cimdIo.cpp 2159)
3915: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3)      00 00 00 00 FF FF FF FF FF FF D4 85 64 B8 43 61     ........ ....d.Ca      08 06 00 01 08 00 06 04 00 01 D4 85 64 B8 43 61     ........ ....d.Ca      0A BE 5F 4A 00 00 00 00 00 00 0A BE 40 01 00 00     .._J.... ....@...      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ........ ........ (cimdIo.cpp 2159)
3941: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3942: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: SUCCESS
3943: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
3944: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM current: state(STATE_AUTHENTICATED), event(EVENT_IP_CONNECTIVITY)
3945: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM state change: STATE_AUTHENTICATED -> STATE_CONNECTED
3946: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: handleEventAndDoStateTransitionAction action : ACTION_IP_CONNECTIVITY
3947: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
3948: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
1: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {25CBB996-92ED-457E-B28C-4774084BD562} LogLevel=0xF
2: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
3: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({25CBB996-92ED-457E-B28C-4774084BD562}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
4: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC050) instantiated for CLSID:{25CBB996-92ED-457E-B28C-4774084BD562}
5: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {3DD6BEC0-8193-4FFE-AE25-E08E39EA4063} LogLevel=0xF
6: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
7: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
8: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC850) instantiated for CLSID:{3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}
9: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {503739D0-4C5E-4CFD-B3BA-D881334F0DF2} LogLevel=0xF
10: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\VaultCredProvider.dll.
11: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({503739D0-4C5E-4CFD-B3BA-D881334F0DF2}): Attempting to load Dir=C:\windows\System32, FileName=VaultCredProvider.dll
12: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003A30B0) instantiated for CLSID:{503739D0-4C5E-4CFD-B3BA-D881334F0DF2}
13: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
14: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
15: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
16: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003AF710) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
17: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {8BF9A910-A8FF-457F-999F-A5CA10B4A885} LogLevel=0xF
18: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
19: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({8BF9A910-A8FF-457F-999F-A5CA10B4A885}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
20: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003B7D70) instantiated for CLSID:{8BF9A910-A8FF-457F-999F-A5CA10B4A885}
21: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {94596C7E-3744-41CE-893E-BBF09122F76A} LogLevel=0xF
22: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
23: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({94596C7E-3744-41CE-893E-BBF09122F76A}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
24: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003C03D0) instantiated for CLSID:{94596C7E-3744-41CE-893E-BBF09122F76A}
25: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {AC3AC249-E820-4343-A65B-377AC634DC09} LogLevel=0xF
26: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\BioCredProv.dll.
27: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({AC3AC249-E820-4343-A65B-377AC634DC09}): Attempting to load Dir=C:\windows\System32, FileName=BioCredProv.dll
28: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003CABC0) instantiated for CLSID:{AC3AC249-E820-4343-A65B-377AC634DC09}
29: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {B12744B8-5BB7-463A-B85E-BB7627E73002} LogLevel=0xF
30: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CClassFactory(00000000001FFF00) CreateInstance calling CoCreateInstance on MS password cred prov
31: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
32: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
33: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
34: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003D3220) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
35: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003DB880) instantiated for CLSID:{B12744B8-5BB7-463A-B85E-BB7627E73002}
36: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435} LogLevel=0xF
37: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\certCredProvider.dll.
38: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}): Attempting to load Dir=C:\windows\system32, FileName=certCredProvider.dll
39: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003E3EE0) instantiated for CLSID:{E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}
3963: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\os\win\osAsync_win.c:233: => SL_STATUS_NO_CONNECTION
3964: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:102: => SL_STATUS_NO_CONNECTION
3965: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:194: => SL_STATUS_NO_CONNECTION
3966: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\ipcFuncs.c:105: => SL_STATUS_NO_CONNECTION
3967: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: CAUGHT: NoConnectionException
3968: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585050, err=0(OS_OK), thread_id=2460
3969: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585838, err=0(OS_OK), thread_id=3692
89: XTCSSPWA03: 6 10 2013 11:25:06.367 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1228]: ServiceControlHandlerEx:WTS_SESSION_LOGOFF, Session ID: 1
If we do not change VLAN from machine to user, it works just fine.
Have anybody seen this problem? Have anybody fixed it?
Thanx, Martin

Hi,
unfortunately not.
I have gone through extensive troubleshooting from Microsoft and Cisco sides twice and the result is:
1) AnyConnect performs EAPol logoff when it detects RDP session termination. So it goes from user to machine authentication
2) Windows 7 performs RDP session termination when IP address changes due to the change of VLAN (from machine VLAN to user VLAN)
Cisco claims that AnyConnect behavior is correct and Microsoft claims that they do not want to change this behavior (reset of RDP session).
I can imagine that Cisco can detect whether RDP session was terminated due to the IP address change or not and do not revert back to machine authentication in such a case.
In fact there was nobody at Cisco that was willing to listen to me or accept this like something that needs a fix. The only thing you can do is to enable "Extend connection beyond logoff". AnyConnect does not send EAPol logoff if it detects RDP session termination and you can establish another RDP session which does not fail and you stay connected with RDP.
Martin

802.1x with Vlan assignment and IP phone and PC

I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
However I have read that I can not enable 802.1x on a trunk port.
How could I configure this?
I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
Thanks

You should configure the port as an access port with an aux-vlan. Here's an example:
interface GigabitEthernet2/2
switchport access vlan 701
switchport mode access
switchport voice vlan 702
load-interval 30
qos trust device cisco-phone
qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x port-control auto
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree portfast
spanning-tree bpduguard enable
service-policy output autoqos-voip-policy
Hope this helps,

802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc     Vlan 10
            bbbb.cccc.dddd     Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .

Hi Guys,
    Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
   So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
   Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
    Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
    If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

802.1x dynamic vlan assignment using ACS 4.2

Hi
we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
is the above scenario doable using dot1x with the ACS server?
waiting your replies
Mohamed

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

802.1x Dynamic Vlan assignment using ACS

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication based on the Network Device Group. Please refer the attached diagram

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

871 802.1x with vlan assignment aka dynamic vlan

Similar Messages

Maybe you are looking for