Dynamic VLANs on a Catalyst 3560
Hello,
I'm looking for a solution that would enable me to assign users to a specific VLAN based on MAC address. I'm using a Catalyst 3560 switch. Is there something similar to VMPS that would allow me to do this? I would like to run VMPS, but it looks like you need a VMPS server (catalyst 5000) to do this. Any help would be appreciated. Thanks!
They can be is the answer; however they don't have to be. Not all Cisco IP Phones have an 802.1x Supplicant (I assume you are using Cisco IP Phones and Voice VLANs?), only the newer ones do I think (7941, 7961, 7970 etc). I think by default the Voice VLAN on the access port does not do 802.1x authentication so the Phones bypass any 802.1x authentication.
If you have non-Cisco IP Phones then there are some more hurdles like VLAN detection and depending on the Vendor this can be achieved in a number of ways. It's should all be possible though.
Andy
Similar Messages
-
Vlan mapping cisco catalyst 3560
Hello
which Cisco switches support vlan mapping ?
and did Cisco catalyst 3560 support vlan mapping or not ??
thank uThank u pdanekul
I know 3750 support vlan mapping but with 3560 i can not see vlan mapping config
switchport vlan mapping
and also i can not see it in cisco Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swtunnel.html -
Using ISE to dynamically VLAN change
Hello all,
I need some help to dynamically change VLAN on each port of my Catalyst 3560, to do this, I don't want to use the MAC address filtering but I want to use conditions already in place in my ISE to switch port between two VLAN (Guest and Corporate) where one give access to the corporate LAN and the other to Internet without LAN access.
Maybe someone of you had could have some ideas to do this with the use, or maybe without VLAN?
PS : Sorry for my bad English, i'm not a native English speaker ;)
Thank you in advance.I do not get exactly what are you looking for.. But still
The two kind of access you are anticipating can be achived by either way
Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per users belongs to (AD )group <e.g. employee or guest..> ..
dACL : You can push downloadable Acl to switch as per user membership to AD.
Let me know if you need help from design or configuration point of view... -
ACS + VMWare thin clients with dynamic vlans
Good afternoon,
I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
Can I do this using only de ACS? Will it work?
Thank youHi,
Dynamic Vlan assignment can be configure on the ACS.
Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
http://tinyurl.com/2oxg32
If you have any doubts do not hesitate to contact me -
Dynamic VLAN assignments with ACS
Hello all.
I am trying to do dynamic vlan assignments with dot1x auth. I am using ACS5.3 and Cisco 3560.
I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
When the user connects I get the following via debug:
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
Any idea what config I'm missing?
Thanks
PaulHello.
Here is whats left in the log.
Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.253: EAPOL pak dump rx
Apr 30 15:19:36.253: EAPOL Version: 0x1 type: 0x0 length: 0x007B
Apr 30 15:19:36.253: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.007b
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.278: EAPOL pak dump rx
Apr 30 15:19:36.278: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.278: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.294: EAPOL pak dump rx
Apr 30 15:19:36.294: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.294: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
Hope that helps -
802.1x and wired dynamic vlans on MAC addresses
Hi All,
I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
I've done some reading but am really struggling to find the information I need.
We have a Windows domain and brand new 3850 Cisco switches.
Can anyone steer me in the right direction (or tell me how to do it!) please?
Thanks for reading.Hi,
So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned.
Tunnel-Type. Select Virtual LANs (VLAN).
You can find more information here:
Configure a Network Policy for VLANs
VLAN Attributes Used in Network Policy
802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
HTH. -
Configuracion SW catalyst 3560
Ten SW catalyst 3650 conectado con 2 SW catalyst 2960G en los 2 SW 2960G tengo configurado varias Vlan , como hago para internconectar las vlan que estan en los 2 SW 2960G con la Vlan de Servidores que tengo SW 3560 esto yo lo hacia sin problemas utilizando un router , pero tengo ahora un SW L3 3560 que me reemplza el router pero no se como configurarlo.
Las Vlans creada en el 3560 son las mismas del 2960G ? Puedes ensenar la configuracion de los dos switches ?
Primeramente, tienes que escribir el comando ip routing en el 3560.
Segundo, tienes que tener 'trunk' en las coneciones entre los dos switches.
Tercero, tienes que crear 'interfaces' el en 3560 con la IP del Vlan. -
SRW224G4P uplink to catalyst 3560 switch trunk
I have many SRW224g4p switchs,and I use a catalyst 3560 for a core switch.
The SRW224g4p uplink to 3560 switch
What can I config the port of the 3560 to SRW224g4p(Their are many of vlans in my network)
and config the port of SRW224g4p to 3560's port
ps:config trunk port problemHi Wei,
Are you working on the Linksys SRW224G4P or the replacement Cisco (300 Series) SRW224G4P-K9-NA? Can you attach your 3560 Truk Port Configuration along with the VLAN Configuration?
Thanks,
Kevin -
Catalyst 3560 routing for network boot
Hi guys,
I'm a Cisco noob so please forgive me if I'm asking stupid questions :)
I have a Cisco Catalyst 3560 in my lab and it's currently a single VLAN set up with all 48 interfaces in it. The switch receives static IPs from the router and as far as I understand is not doing any routing by itself. I'd like to run my own tftp server available only to the servers on this switch (for network boot).
So what I probably need this switch to run is some kind of an internal network i.e. 10.10.2.0 so I'd be able to reach the servers on this switch both via an external IP xxx.xxx.xxx.xxx and an internal one say 10.10.2.3 during the PXE boot.
So how should it be done and is it possible at all?
I hope I'm making myself clear and you got the idea. Please ask if you don't. :)
BR,
PaulFor example, if I start the security wizard and choose a single interface (FastEthernet6 in this case) to block port 25 on I get this config:
Restricting Applications.
Creating ACL SecWiz_Fa0_6_in_ip based on provided criteria
Creating VLAN Map SecWiz_Vlan1
Applying VLAN Map
Applying VLAN Map SecWiz_Vlan1 to Vlan1
and when I click on Show CLI sequence:
Cisco1(config)# no vlan access-map SecWiz_Vlan1 10
Cisco1(config)# no ip access-list Extended SecWiz_Fa0_6_in_ip
Cisco1(config)# ip access-list extended SecWiz_Fa0_6_in_ip
Cisco1(config-ext-nacl)# deny tcp any any eq 25
Cisco1(config-ext-nacl)# permit ip any any
Cisco1(config-ext-nacl)# exit
Cisco1(config)# vlan access-map SecWiz_Vlan1
Cisco1(config-access-map)# 10 match ip address SecWiz_Fa0_6_in_ip
Cisco1(config-access-map)# 10 action forward
Cisco1(config-access-map)# exit
Cisco1(config)# vlan filter SecWiz_Vlan1 vlan-list 1
after I apply the changes port 25 gets blocked on the entire switch. I believe it will be the same for what I'm trying to do now. -
Assistance Disabling BPDU Guard: Catalyst 3560 CG
Good Morning Guys,
Here's the situation:
Configuring cisco wireless bridges - every time I get both devices up in my wireless controller, the port my root bridge is connected to on the catalyst 3560 CG switch gets disabled with the following error:
"SPANTREE - 2- BLOCK_BPDUGUARD: Received BPDU on port, *** with BPDU Guard enabled, disabling port."
I've done some research on BPDU Guard and I've tried applying the following commands to no avail:
1. errdisable detect cause bpdguard shutdown vlan (global and config mode)
2. spanning-tree bpduguard disable (configuration mode at the interface)
any assistance to prevent the port from shutting down would be greatly appreciated.
ChristianYou should double check the interface configs on both. It is shutting the port down because it is receiving BPDUs. This could be cause your switch port is configured for access but the WLC is configured as trunk...
-
Cat 3750 with Voice VLAN and Dynamic VLANs
Morning,
Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
Is a RADIUS server able to provide values to change the native vlan?
Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
Thanks,Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
interface FastEthernet0/1
switchport
switchport mode access
switchport access vlan 10
switchport voice vlan 100
This is effectively the same as:
interface FastEthernet0/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,100
The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
QoS is not detailed anywhere here and that obviously plays an important role with voice.
In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
HTH
Andy -
How do I add a Subnet and vlan with a catalyst 3550 and RV120
Hello Friends.
I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
Any advice on how to do this?
As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst. -
Hello ladies and gentlemen,
I am using several SG300-28 Switches with firmware version 1.1.2.0.
I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
Authentication is only based on the MAC address. (I configured that on the switches)
On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
This is happening randomly on nearly all my PCs.
I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
Thank you very much for your help!
Regrads
Alexander WilkeThis is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
2147483395
2012-Aug-09 21:40:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483396
2012-Aug-09 21:38:23
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483397
2012-Aug-09 21:38:23
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483398
2012-Aug-09 21:16:05
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483399
2012-Aug-09 21:13:42
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483400
2012-Aug-09 21:13:42
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483401
2012-Aug-09 21:04:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483402
2012-Aug-09 21:03:50
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483403
2012-Aug-09 21:03:50
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483404
2012-Aug-09 20:52:02
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483405
2012-Aug-09 20:49:02
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483406
2012-Aug-09 20:49:02
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483407
2012-Aug-09 20:40:04
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483408
2012-Aug-09 20:39:10
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483409
2012-Aug-09 20:39:10
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483410
2012-Aug-09 20:16:06
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483411
2012-Aug-09 20:14:29
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483412
2012-Aug-09 20:14:29
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483413
2012-Aug-09 19:28:01
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483414
2012-Aug-09 19:25:08
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483415
2012-Aug-09 19:25:08
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483416
2012-Aug-09 19:15:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483417
2012-Aug-09 19:15:16
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483418
2012-Aug-09 19:15:16
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483419
2012-Aug-09 19:04:00
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483420
2012-Aug-09 19:00:27
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483421
2012-Aug-09 19:00:27
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
2147483422
2012-Aug-09 18:27:59
Informational
%SEC-I-PORTAUTHORIZED: Port gi8 is Authorized
2147483423
2012-Aug-09 18:25:55
Warning
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8
2147483424
2012-Aug-09 18:25:55
Warning
%SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized
Any ideas ? -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123 -
Dynamic VLAN, should or should not?
Hi everyone,
My company have 1 Core Switch 6509, this core SW aggregate all access switch.
On the Core SW, I've configuration static IP such as: # arp IP_address MAC_address rarp
However, when the client move from access switch to another access switch, i must to change Vlan in access port.
It's very manually.
To improve the management, I think Dynamic VLAN.
But this solution require all access switch support VMPS, but all access switches in the network system's not support.
To implement this solution, it's require a large investments to purchase the new device.
Can any one advice me a suitable solution.
Thanks in advance!
HoiVNKindly check the following link for reference.
sample configuration link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
Trouble shooting link
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html
Maybe you are looking for
-
Reports through Report Painter
Hi All, Can you please guide me how to use report painter and how to create custom reports through report painter. I want to prepare a report that will show Planned costs,Commitments,Actual Costs,Original Budget,Supplements,Current Budget in a single
-
Mouse pointer jumping around and dock icon graphics tops breaking up
i been noticing my mac acting funny, at 1st i dismissed it as no big deal but now it has become more frequent. instead of happening occasionally its happening constantly. my mac has been in the exact same location since i owned it and my mouse surfac
-
Rpt.SetDataSource ignores my dataset
I have an app that passes a dataset to the crystal report viewer. If I use the following line the data gets passed to the viewer, however if a crosstab is used in the report the crosstab ignores the column group options. If a crosstab is not used eve
-
Problem with a Timer (Java.util)
Hello guys, I have a small problem with Java timer. The problem is I wanne do some task let's say after 5 seconds, so I created a timer and set its delay to 5000 milli seconds and run my program to see that the task is well performed but the program
-
Weird Quirk: Microphone suddenly picking up volume
Sorry, I just don't know where else to put this question. Yesterday, even though I had my headphones in, people were able to here the music that was playing on my windows media player. Never really expireneced it before but it went away quickly. Now,