Dynamic VLANs on a Catalyst 3560

Hello,
I'm looking for a solution that would enable me to assign users to a specific VLAN based on MAC address. I'm using a Catalyst 3560 switch. Is there something similar to VMPS that would allow me to do this? I would like to run VMPS, but it looks like you need a VMPS server (catalyst 5000) to do this. Any help would be appreciated. Thanks!

They can be is the answer; however they don't have to be. Not all Cisco IP Phones have an 802.1x Supplicant (I assume you are using Cisco IP Phones and Voice VLANs?), only the newer ones do I think (7941, 7961, 7970 etc). I think by default the Voice VLAN on the access port does not do 802.1x authentication so the Phones bypass any 802.1x authentication.
If you have non-Cisco IP Phones then there are some more hurdles like VLAN detection and depending on the Vendor this can be achieved in a number of ways. It's should all be possible though.
Andy

Similar Messages

  • Vlan mapping cisco catalyst 3560

    Hello
    which Cisco switches support vlan mapping ?
    and did Cisco catalyst 3560 support vlan mapping or not ??
    thank u

    Thank u pdanekul
    I know 3750 support vlan mapping but with 3560 i can not see vlan mapping config
    switchport vlan mapping
    and also i can not see it in cisco Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swtunnel.html

  • Using ISE to dynamically VLAN change

    Hello all,
    I need some help to dynamically change VLAN on each port of my Catalyst 3560, to do this, I don't want to use the MAC address filtering but I want to use conditions already in place in my ISE to switch port between two VLAN (Guest and Corporate) where one give access to the corporate LAN and the other to Internet without LAN access.
    Maybe someone of you had could have some ideas to do this with the use, or maybe without VLAN?
    PS : Sorry for my bad English, i'm not a native English speaker ;)
    Thank you in advance.

     I do not get exactly what are you looking for.. But still
    The  two kind of access you are anticipating can be achived by either way
    Chage of VLAN : as explained by you... you need to create two differnent authorization policies as per  users belongs  to (AD )group <e.g. employee or guest..> ..
    dACL : You can push downloadable Acl to switch as per user membership to AD.
    Let me know if you need help from design or configuration  point of view...

  • ACS + VMWare thin clients with dynamic vlans

    Good afternoon,
    I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
    Can I do this using only de ACS? Will it work?
    Thank you

    Hi,
    Dynamic Vlan assignment can be configure on the ACS.
    Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
    http://tinyurl.com/2oxg32
    If you have any doubts do not hesitate to contact me

  • Dynamic VLAN assignments with ACS

    Hello all.
    I am trying to do dynamic vlan assignments with dot1x auth.  I am using ACS5.3 and Cisco 3560.
    I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
    aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
    When the user connects I get the following via debug:
    Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
    Any idea what config I'm missing?
    Thanks
    Paul

    Hello.
    Here is whats left in the log.
    Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
    Apr 30 15:19:36.253: EAPOL pak dump rx
    Apr 30 15:19:36.253: EAPOL Version: 0x1  type: 0x0  length: 0x007B
    Apr 30 15:19:36.253: dot1x-ev:
    dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
    Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                        pae-ether-type = 888e.0100.007b
    Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
    Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
    Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
    Apr 30 15:19:36.278: EAPOL pak dump rx
    Apr 30 15:19:36.278: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Apr 30 15:19:36.278: dot1x-ev:
    dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                        pae-ether-type = 888e.0100.002b
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
    Apr 30 15:19:36.294: EAPOL pak dump rx
    Apr 30 15:19:36.294: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Apr 30 15:19:36.294: dot1x-ev:
    dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                        pae-ether-type = 888e.0100.002b
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
    Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
    Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
    Hope that helps

  • 802.1x and wired dynamic vlans on MAC addresses

    Hi All,
    I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
    I've done some reading but am really struggling to find the information I need.
    We have a Windows domain and brand new 3850 Cisco switches.
    Can anyone steer me in the right direction (or tell me how to do it!) please?
    Thanks for reading.

    Hi, 
    So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
    In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
    Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
    Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. 
    Tunnel-Type. Select Virtual LANs (VLAN).
    You can find more information here:
    Configure a Network Policy for VLANs
    VLAN Attributes Used in Network Policy
    802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
    HTH.

  • Configuracion SW catalyst 3560

    Ten SW catalyst 3650 conectado con 2 SW catalyst 2960G en los 2 SW 2960G tengo configurado varias Vlan , como hago para internconectar las vlan que estan en los 2 SW 2960G con la Vlan de Servidores que tengo SW 3560 esto yo lo hacia sin problemas utilizando un router , pero tengo ahora un SW L3 3560 que me reemplza el router pero no se como configurarlo.

    Las Vlans creada en el 3560 son las mismas del 2960G ? Puedes ensenar la configuracion de los dos switches ?
    Primeramente, tienes que escribir el comando ip routing en el 3560.
    Segundo, tienes que tener 'trunk' en las coneciones entre los dos switches.
    Tercero, tienes que crear 'interfaces' el en 3560 con la IP del Vlan.

  • SRW224G4P uplink to catalyst 3560 switch trunk

    I have many SRW224g4p switchs,and I use a catalyst 3560  for a core switch.
    The SRW224g4p uplink to 3560 switch
    What can I config the port of the 3560 to SRW224g4p(Their are many of vlans in my network)
    and config the port of SRW224g4p to 3560's port
    ps:config trunk port problem

    Hi Wei,
         Are you working on the Linksys SRW224G4P or the replacement Cisco (300 Series) SRW224G4P-K9-NA? Can you attach your 3560 Truk Port Configuration along with the VLAN Configuration?
    Thanks,
    Kevin

  • Catalyst 3560 routing for network boot

    Hi guys,
    I'm a Cisco noob so please forgive me if I'm asking stupid questions :)
    I have a Cisco Catalyst 3560 in my lab and it's currently a single VLAN set up with all 48 interfaces in it. The switch receives static IPs from the router and as far as I understand is not doing any routing by itself. I'd like to run my own tftp server available only to the servers on this switch (for network boot).
    So what I probably need this switch to run is some kind of an internal network i.e. 10.10.2.0 so I'd be able to reach the servers on this switch both via an external IP xxx.xxx.xxx.xxx and an internal one say 10.10.2.3 during the PXE boot.
    So how should it be done and is it possible at all?
    I hope I'm making myself clear and you got the idea. Please ask if you don't. :)
    BR,
    Paul

    For example, if I start the security wizard and choose a single interface (FastEthernet6 in this case) to block port 25 on I get this config:
    Restricting Applications.
    Creating ACL SecWiz_Fa0_6_in_ip based on provided criteria
    Creating VLAN Map SecWiz_Vlan1
    Applying VLAN Map
    Applying VLAN Map SecWiz_Vlan1 to Vlan1
    and when I click on Show CLI sequence:
    Cisco1(config)# no vlan access-map SecWiz_Vlan1 10
    Cisco1(config)# no ip access-list Extended SecWiz_Fa0_6_in_ip
    Cisco1(config)# ip access-list extended SecWiz_Fa0_6_in_ip
    Cisco1(config-ext-nacl)# deny tcp any any eq 25
    Cisco1(config-ext-nacl)# permit ip any any
    Cisco1(config-ext-nacl)# exit
    Cisco1(config)# vlan access-map SecWiz_Vlan1
    Cisco1(config-access-map)# 10 match ip address SecWiz_Fa0_6_in_ip
    Cisco1(config-access-map)# 10 action forward
    Cisco1(config-access-map)# exit
    Cisco1(config)# vlan filter SecWiz_Vlan1 vlan-list 1
    after I apply the changes port 25 gets blocked on the entire switch. I believe it will be the same for what I'm trying to do now.

  • Assistance Disabling BPDU Guard: Catalyst 3560 CG

    Good Morning Guys,
    Here's the situation:
    Configuring  cisco wireless bridges -  every time I get both devices up in my wireless controller, the port my root bridge is connected to on the catalyst 3560 CG switch gets disabled with the following error:
    "SPANTREE - 2- BLOCK_BPDUGUARD: Received BPDU on port,  *** with BPDU Guard enabled, disabling port."
    I've done some research on BPDU Guard and I've tried applying the following commands to no avail:
    1. errdisable detect cause bpdguard shutdown vlan    (global and config mode)
    2. spanning-tree bpduguard disable           (configuration mode at the interface)
    any assistance to prevent the port from shutting down would be greatly appreciated.
    Christian

    You should double check the interface configs on both. It is shutting the port down because it is receiving BPDUs. This could be cause your switch port is configured for access but the WLC is configured as trunk...

  • Cat 3750 with Voice VLAN and Dynamic VLANs

    Morning,
    Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
    Is a RADIUS server able to provide values to change the native vlan?
    Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
    Thanks,

    Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
    interface FastEthernet0/1
    switchport
    switchport mode access
    switchport access vlan 10
    switchport voice vlan 100
    This is effectively the same as:
    interface FastEthernet0/1
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,100
    The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
    With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
    QoS is not detailed anywhere here and that obviously plays an important role with voice.
    In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
    Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
    HTH
    Andy

  • How do I add a Subnet and vlan with a catalyst 3550 and RV120

    Hello Friends.
    I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
    This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
    I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
    In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
    The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
    DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
    There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
    VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
    There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
    I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
    I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
    I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
    I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
    Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
    I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
    Any advice on how to do this?
    As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

    Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
    To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
    With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
    If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

  • SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

    Hello ladies and gentlemen,
    I am using several SG300-28 Switches with firmware version 1.1.2.0.
    I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
    Authentication is only based on the MAC address. (I configured that on the switches)
    On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
    I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
    In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
    The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
    If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
    This is happening randomly on nearly all my PCs.
    I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
    Thank you very much for your help!
    Regrads
    Alexander Wilke

    This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
    2147483395
    2012-Aug-09 21:40:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483396
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483397
    2012-Aug-09 21:38:23
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483398
    2012-Aug-09 21:16:05
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483399
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483400
    2012-Aug-09 21:13:42
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483401
    2012-Aug-09 21:04:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483402
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483403
    2012-Aug-09 21:03:50
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483404
    2012-Aug-09 20:52:02
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483405
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483406
    2012-Aug-09 20:49:02
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483407
    2012-Aug-09 20:40:04
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483408
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483409
    2012-Aug-09 20:39:10
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483410
    2012-Aug-09 20:16:06
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483411
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483412
    2012-Aug-09 20:14:29
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483413
    2012-Aug-09 19:28:01
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483414
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483415
    2012-Aug-09 19:25:08
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483416
    2012-Aug-09 19:15:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483417
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483418
    2012-Aug-09 19:15:16
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483419
    2012-Aug-09 19:04:00
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483420
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483421
    2012-Aug-09 19:00:27
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
    2147483422
    2012-Aug-09 18:27:59
    Informational
    %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
    2147483423
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
    2147483424
    2012-Aug-09 18:25:55
    Warning
    %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
    Any ideas ?

  • WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

    WLC 5508: software version 7.0.98.0
    Windows 7 Client
    Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend
    I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
    However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
    AVP: l=4  t=Tunnel-Private-Group-Id(81): 10
    AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)
    AVP: l=6  t=Tunnel-Type(64): VLAN(13)
    I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

    Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:
    The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)
    Install Packages
    1.  Install needed packages.
    yum install openldap*
    yum install freeradius*
    2.  Set the services to automatically start of system startup
    chkconfig --level 2345 slapd on
    chkconfig --level 2345 radiusd on
    Configure and start LDAP
    1.  Copy the needed ladp schemas for radius.  Your path may vary a bit
    cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
    2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file
    slappasswd
    3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created
    useradd ldap
    groupadd ldap
    4.  Create the directory and assign permissions for the database files
    mkdir /var/lib/ldap
    chmod 700 /var/lib/ldap
    chown ldap:ldap /var/lib/ldap
    5.  Edit the slapd.conf file.
    cd /etc/openldap
    vi slapd.conf
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #Default needed schemas
    include        /etc/openldap/schema/corba.schema
    include        /etc/openldap/schema/core.schema
    include        /etc/openldap/schema/cosine.schema
    include        /etc/openldap/schema/duaconf.schema
    include        /etc/openldap/schema/dyngroup.schema
    include        /etc/openldap/schema/inetorgperson.schema
    include        /etc/openldap/schema/java.schema
    include        /etc/openldap/schema/misc.schema
    include        /etc/openldap/schema/nis.schema
    include        /etc/openldap/schema/openldap.schema
    include        /etc/openldap/schema/ppolicy.schema
    include        /etc/openldap/schema/collective.schema
    #Radius include
    include        /etc/openldap/schema/radius.schema
    #Samba include
    #include        /etc/openldap/schema/samba.schema
    # Allow LDAPv2 client connections.  This is NOT the default.
    allow bind_v2
    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral    ldap://root.openldap.org
    pidfile        /var/run/openldap/slapd.pid
    argsfile    /var/run/openldap/slapd.args
    # ldbm and/or bdb database definitions
    #Use the berkely database
    database    bdb
    #dn suffix, domain components read in order
    suffix        "dc=cisco,dc=com"
    checkpoint    1024 15
    #root container node defined
    rootdn        "cn=Manager,dc=cisco,dc=com"
    # Cleartext passwords, especially for the rootdn, should
    # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    # rootpw        secret
    rootpw      
    {SSHA}
    cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools. (chown ldap:ldap)
    # Mode 700 recommended.
    directory    /var/lib/ldap
    # Indices to maintain for this database
    index objectClass                       eq,pres
    index uid,memberUid                     eq,pres,sub
    # enable monitoring
    database monitor
    # allow onlu rootdn to read the monitor
    access to *
             by dn.exact="cn=Manager,dc=cisco,dc=com" read
             by * none
    6.  Remove the slapd.d directory
    cd /etc/openldap
    rm -rf slapd.d
    7.  Hopefully if everything is correct, should be able to start up slapd with no problem
    service slapd start
    8.  Create the initial database in a text file called /tmp/initial.ldif
    dn: dc=cisco,dc=com
    objectClass: dcobject
    objectClass: organization
    o: cisco
    dc: cisco
    dn: ou=people,dc=cisco,dc=com
    objectClass: organizationalunit
    ou: people
    description: people
    dn: uid=jonatstr,ou=people,dc=cisco,dc=com
    objectClass: top
    objectClass: radiusprofile
    objectClass: inetOrgPerson
    cn: jonatstr
    sn: jonatstr
    uid: jonatstr
    description: user Jonathan Strickland
    radiusTunnelType: VLAN
    radiusTunnelMediumType: 802
    radiusTunnelPrivateGroupId: 10
    userPassword: ggsg
    9.  Add the file to the database
    ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
    10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back
    ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
    Configure and Start FreeRadius
    1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses
    cd /etc/raddb
    vi ldap.attrmap
    For dynamic vlan assignments, verify the follow lines exist:
    replyItem    Tunnel-Type                                   radiusTunnelType
    replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType
    replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId
    Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:
    checkItem    Cleartext-Password    userPassword
    2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.
    eap
    {      default_eap_type = peap      .....  }
    tls {
        #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.
    peap {
        default_eap_type = mschapv2
        #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message
        use_tunneled_reply = yes
    3.  Change the authenication and authorization modules and order.
    cd /etc/raddb/sites-enabled
    vi default
    For the authorize section, uncomment the ldap module.
    For the authenicate section, uncomment the ldap module
    vi inner-tunnel
    Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:
    authorize
    {      ldap      mschap      ......  }
    4.  Configure ldap module
    cd /etc/raddb/modules
    ldap
    {        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }
    5.  Start up radius in debug mode on another console
    radiusd -X
    6.  radtest localhost 12 testing123
    You should get a Access-Accept back
    7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test
    First install openssl support libraries, required to compile
    yum install openssl*
    yum install gcc
    wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz 
    tar xvf wpa_supplicant-0.6.10.tar.gz
    cd wpa_supplicant-0.6.10/wpa_supplicant
    vi defconfig
    Uncomment CONFIG_EAPOL_TEST = y and save/exit
    cp defconfig .config
    make eapol_test
    cp eapol_test /usr/local/bin
    chmod 755 /usr/local/bin/eapol_test
    8.  Create a test config file named eapol_test.conf.peap
    network=
    {   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }
    9.  Run the test
    eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

  • Dynamic VLAN, should or should not?

    Hi everyone, 
    My company have 1 Core Switch 6509, this core SW aggregate all access switch.
    On the Core SW, I've configuration static IP such as:    # arp IP_address MAC_address rarp
    However, when the client move from access switch to another access switch, i must to change Vlan in access port.
    It's very manually.
    To improve the management, I think Dynamic VLAN.
    But this solution require all access switch support VMPS, but all access switches in the network system's not support.
    To implement this solution, it's require a large investments to purchase the new device.
    Can any one advice me a suitable solution.
    Thanks in advance!
    HoiVN

    Kindly check the following link for reference.
    sample configuration link
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
    Trouble shooting link
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

Maybe you are looking for

  • Reports through Report Painter

    Hi All, Can you please guide me how to use report painter and how to create custom reports through report painter. I want to prepare a report that will show Planned costs,Commitments,Actual Costs,Original Budget,Supplements,Current Budget in a single

  • Mouse pointer jumping around and dock icon graphics tops breaking up

    i been noticing my mac acting funny, at 1st i dismissed it as no big deal but now it has become more frequent. instead of happening occasionally its happening constantly. my mac has been in the exact same location since i owned it and my mouse surfac

  • Rpt.SetDataSource ignores my dataset

    I have an app that passes a dataset to the crystal report viewer. If I use the following line the data gets passed to the viewer, however if a crosstab is used in the report the crosstab ignores the column group options. If a crosstab is not used eve

  • Problem with a Timer (Java.util)

    Hello guys, I have a small problem with Java timer. The problem is I wanne do some task let's say after 5 seconds, so I created a timer and set its delay to 5000 milli seconds and run my program to see that the task is well performed but the program

  • Weird Quirk: Microphone suddenly picking up volume

    Sorry, I just don't know where else to put this question. Yesterday, even though I had my headphones in, people were able to here the music that was playing on my windows media player. Never really expireneced it before but it went away quickly. Now,