Srw2024 802.1x and VLANs
Does SRW2024 switch support dynamic VLANs based on 802.1x authentication?
Based on the datasheet for the SRW2024, it can support it. Here is the link of the SRW2024 data sheet:
http://www.linksys.com/servlet/Satellite?blobcol=urldata&blobheadername1=Content-Type&blobheadername...
Similar Messages
-
802.1X and automatic vlan assignment
Hello,
I'm testing a 802.1X infrastructure :
Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
Radius Server : Microsoft NPS
DHCP Relay for address assignement by Vlan
I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
The DHCP works fine and the 2 users have an IP.
When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
There are some specifics parameters to add for enable vlan on Mac OS X ?
Thanks for reply
BenEdit : It's for wired connections
-
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy -
I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
interface GigabitEthernet9/48
description temporary port
switchport
switchport access vlan 12
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
CIG01-ENT-SW1(config-if)#switchport voice vlan 14
Command rejected: Gi9/48 is Dot1x enabled port.Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
interface FastEthernet0/1
switchport access vlan 3
switchport mode access
switchport voice vlan 2
no ip address
dot1x port-control auto
spanning-tree portfast
end
Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
under the interface configure "dot1x host-mode multi-host"
Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform. -
Yet another IAS + 802.1x dynamic vlan question
hello all
For the last 18 months or so there's been a steady stream of folks trying to get dynamic assignment of a vlan to a user/group using Microsofts IAS Radius.
Having searched thru the Netpro archives, I've never found a definitive explaination of how this is done.
Sure, its almost common knowledge by now that the three attributes 64(Tunnel-Type=vlan), 65(Tunnel-Medium=802) and 81(Tunnel-Private-Group-ID=vlan name) need to be configured on the Radius Server.
Recently I discovered that IAS on windows 2003 even includes the Radius "tunnel-tag" attribute, so even that can be included now(as =1).
Still, having done this, and seeing a "debug radius" on a 2950 switch (with newest code) show the the tunnel-tag starts with "01" --- i STIll can't get this darn thing to work.
Yes, it works for static 802.1x(no vlan assignment) against a XP sp2 client .
Yes, I included the "aaa authorization network default group radius" statement.
If I configure a vlan 5 named "Sales" --- nothing works. Not when I configure attribute 81=Sales in IAS, not when I configure "5" in IAS. Heck, I even used hex values--- till I got
" Attribute 81 6 01000005 " in the debug,
all sorts of permutations.
Please Cisco, somebody --- help us out here.
The fact of the matter is, though ACS is probably the best way to go(it does NAC & FAST), alot of clients say "hey - I've got a perfectly good Radius Server for FREE in Windows".
Can anybody shed some light on this!Here is working IAS settings and switch config:
Ignore-User-Dialin-Properties 4101 True
Framed-Protocol 7 PPP
Service-Type 6 Framed
Tunnel-Medium-Type 65 802
Tunnel-Pvt-Group-ID 81 102
Tunnel-Type 64 VLAN
Tunnel-Tag 4170 1
*Note that I have VLAN#, not VLAN name on attribute 81
aaa new-model
aaa authentication dot1x default group radius none
aaa authorization network default group radius none
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period 300
dot1x guest-vlan 997
dot1x reauthentication
spanning-tree portfast -
MAB/802.1x and Alkatel IP Phones
Hi All
We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
Thanks
GHi Tarik,
Thanks for the reply, please find below the switch port config lines, its a 370x switch, IPbase and universalon 15.2-1.E1 image
Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
Interface gi x/y
switchport access vlan xx
switchport mode access
switchport voice vlan yy
ip access-group ACL_ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xx
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast -
802.1x dynamic VLAN assignment with Radius NPS Server
I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
I have followed this documentation,
http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
that basically says to use these Radius attributes,
Tunnel-Medium-Type : 802
Tunnel-Pvt-Group-ID : My_VLAN_Number (also tried VLAN name)
Tunnel-Type : VLAN
There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
and I have also tried that,
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
My user authenticates on the port fine, but doesn't get put into a VLAN. If I add "sw acc vlan 110" then the user authenticates and then does get an IP address in that VLAN and all is well.
Anybody know how to get dynamic VLAN assignment working with NPS?
NPS on Win 2012 R2
Domain controller separate Win 2012 R2 server
Cisco 3550 switchHi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H -
802.1x dynamic vlan assignment using ACS 4.2
Hi
we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
is the above scenario doable using dot1x with the ACS server?
waiting your replies
MohamedHi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
802.1x with VLAN assignment on Catalyst 2950T-48-SI
I will really appreciate if you can confirm me if the C2950T-48-SI will support the following features.
- IEEE 802.1x with VLAN assignment
- SSHv2
- SNMPv3
The data sheet for the Cisco Catalyst 2950 Series Switches with Standard Image mentions all the above and more features for the 2950T-48-SI, but at the same time the power point presentation, (Cisco Catalyst 2950 Series Switches, and the tool Sofware advisor say that those features are only supported with the Enhanced Image.
If your those feature are supported by the Standard Image, would you please also inform the last IOS version supported.
Thanks a lot.SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy -
MAB, 802.1x and ACS 4.2
Hi all,
Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
Logic connection is: users laptop---->ipphone---->switch---->radius
What i need is:
if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster way ( 802.1x and MAB ).
i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth) but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1" is configured.
I used the dot1x auth-fail vlan because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
In both case the "consultant" remain in "auth failed"
Here my current configuration
dot1x system-auth-control
dot1x guest-vlan supplicant
identity profile default
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 30
authentication host-mode multi-auth
authentication event fail action authorize vlan 1
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
On ACS side i have 2 groups
first Group authenticate the iphone and supply the voice vlan ( vlan 30)
Second Group authenticate using MAB and supply the vlan 58
is there a different way to accomplish this task?
Thank you in advancehi,
any ideas?
thx -
Is it possible to enable dot1x and voice on the same interface? If so which switches and IOS support this feature ?
Any references to documents ?
Commands that cannot be configured together :-
switch voice vlan xxx
dot1x port-control autoIt is possible to enable 802.1X and voice on the same port. If the phone does CDP, it is allowed through, regardless of the 802.1X state of the port with this config. Here's the following switches that support this, with the minimum required releases:
CatOS (6500) - 7.6(1)
IOS (4500) - 12.1(20)EWA
IOS (3750) - 12.2(25)SEA
IOS (3560) - 12.2(25)SEA
IOS (3550) - 12.1(12c)EA1
IOS (2960) - 12.2(25)FX
IOS (2950) - 12.1(12c)EA1
IOS (2940) - 12.1(13)AY
Hope this helps, -
802.1X and CAT Express 500
Hi guys,
I want to know if the Cat Express 500 support dynamic vlan assigment through 802.1X.Hi,
You can do the vlan arrisgnment using 802.1x on CE500. The configuration for 802.1X and Radius authentication server can be done with the help of Cisco Network Assistant (CNA). In the menu Network Security Settings you have to put the
security level on high. There is the possibility to configure the IP address of the RADIUS server and the RADIUS key.
In case you don?t have the CNA, you can download it for free from:
http://www.cisco.com/cgi-bin/tablebuild.pl/NetworkAssistant
HTH, Please rate if it does.
-amit singh -
802.1x Dynamic Vlan assignment using ACS
Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication based on the Network Device Group. Please refer the attached diagramHi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
802.1x Dynamic VLAN Switching Question
Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.
Environment:
ACS Express 5.0.1
C3550 running c3550-ipbasek9-mz.122-44.SE6.bin
Switch config:
aaa new-model
aaa group server radius dot1x
server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541
aaa authentication dot1x default group dot1x
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
speed 100
duplex full
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
spanning-tree portfast
ip radius source-interface FastEthernet0/1 vrf default!
radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
Am I missing something easy?It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.
The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down" -
I'm trying to figure out a way to get to 802.1x and Dynamic Vlans.
I have all types of devices, some login into windows AD some don't.
Is this possilbe?
port is setup to use 802.1x. Radius server first checks against AD, then checks for MAC address, if no conditions are met ports is set to a catch all type VLAN and starts forwarding.
Something like:
1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
2. A printer is connected and assigned to a printer VLan.
3. A guest connects and is assigned to a guest VLan.
I like to not have to put MAC addresses in for PCs that are members of the the windows domain.Hi
Please find the answers inline:
1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
This is possible by using RADIUS extended attributes, to assign VLAN dynamically.. for this to work ,you need to define the radius server host & key on the switch/NAD. then enable dot1x on the switchport, to force authentication through RADIUS.. you can have a NAC client to key-in your AD username/password.. You would need to configure your RADIUS server to send vendor-specific attributes:
–[64] Tunnel-Type = VLAN
–[65] Tunnel-Medium-Type = 802
–[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
refer to CCO for more info on how the ACS server is configured for sending this info... apart from this on the switch configure "radius-server host x.x.x.x auth-port 1612 key *****" and the appropriate aaa commands to force dot1x to refer to RADIUS "aaa authentication dot1x default radius"
2. A printer is connected and assigned to a printer VLan.
For printers, or any non-dot1x compliant device, its general to use MAC authentication Bypass feature.. by doing this we can make sure the ports connecting to printers use the default "Switchport access vlan " configuration on these ports.. with MAB, we add the MAC address of the printer on the ACS server (with pw as mac-address) and make sure the printer is authenticated via the switch.. if you dont want to use MAC address for bypassing dot1x, you can probably disable dot1x on such ports.. similar methodology can be adopted for Servers, which wouldnt need dot1x.. since there are few printers & servers on networks, you can disable dot1x on these ports...
3. A guest connects and is assigned to a guest VLan.
This is achieved by using the guest-vlan feature.. guests who dont have dot1x client, will be put on a seperate isolated VLAN called guest vlan.. you can create a vlan say vlan 99 on the switch for guests, and on the switchport configure "dot1x guest-vlan 99" .. this would make sure the guests are seperated and isolated.. make sure you have vlan ACLs on VLAN 99 to restrict traffic for guest users only to internet, or place them behind DMZ of firewalls... you also have "authentication failure" VLAN which you can enable for production users when they fail authentication...
Refer to this Guide.. it has all information about 802.1x on switches...
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1270660
Hope this helps.. all the best..
Raj
Maybe you are looking for
-
Iwork does not work (after install)
Installed iwork from purchased dvd. Clicked on Pages (same thing happens with Keynote or Numbers) Box comes up: This application pages quit unexpectedly. Click to relaunch(does not work) Ignore (does not work) or report. I click on report and get thi
-
iPad IOS 7.0.2 and Mountain Lion 10.8.5 Calendar colors do not match between computer and device. Problem did not exist until updated IOS arrived. Colours change of their own free will despite being corrected on both iPAD and MacBook Pro. Any answ
-
Error message: impossible to open catalogue due to unexpected error
Hello eveyone, I have been using LR 5 for quite some time. Working just fine. I got a new I Mac in replacement of my old one but since I changed I cannot access my catalogue (xxx.lrcat) usually located in a special dedicated desk external hard drive.
-
Problems whit primary key = '#'
Hello! I've got a problem with an application based In Forms of a Table with Report when the table primary key has the value '#'. From the report, when I press the 'update' button, this value is contained in the URL link with de upddate form, but all
-
Scope question... I think?
I have the following that opens a movieclip that has a class attached to it. var quiz_1_2:Quiz_1_2 = new Quiz_1_2(); addChild(quiz_1_2); quiz_1_2.initQuiz(quiz1Answer, quiz1Audio); Inside that class I am referencing the stage like this: addEventListe