Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

Horschtel Fri, 11 Mar 2005 00:21:26 -0800

>You are missing:
>
>   aaa authentication network default group radius
>
>The attributes you posted earlier are correct.  You can also specify
>the VLAN name instead of the number which may help you if the VLAN ids
>are different on different networks.
>
>--
>DaveD
>
Thanks for help but my switch doesn't know this command. Is it possible that 
the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported?

>On Mar 10, 2005, at 7:51 AM, Horschtel wrote:
>
>>
>>
>> I try but it doesn't work. I try another radius server and it failed
>> also. I the properties of the Attribute 81 I see should be a string.
>> So I think I did a mistake on the switch configuration. I post the
>> configuration here :
>>
>>
>> Current configuration : 3985 bytes
>> !
>> version 12.1
>> no service pad
>> service timestamps debug uptime
>> service timestamps log uptime
>> service password-encryption
>> !
>> hostname rum34
>> !
>> aaa new-model
>> aaa authentication login default line enable
>> aaa authentication dot1x default group radius
>> enable secret 5 xxxx.
>> enable password 7 xxxx
>> !
>> ip subnet-zero
>> ip domain-name mms-dresden.de
>> !
>> !
>> spanning-tree extend system-id
>> no spanning-tree vlan 65
>> …
>> no spanning-tree vlan 255
>> !
>> !
>> interface FastEthernet0/1
>>  switchport mode trunk
>>  no ip address
>> !
>> interface FastEthernet0/2
>>  switchport access vlan dynamic
>>  switchport mode access
>>  no ip address
>>  spanning-tree portfast
>> !
>> interface FastEthernet0/3
>>  switchport mode access
>>  no ip address
>> !
>> interface FastEthernet0/4
>>  no ip address
>> !
>> interface FastEthernet0/5
>>  no ip address
>>  shutdown
>> !
>> interface FastEthernet0/6
>>  no ip address
>> !
>> interface FastEthernet0/7
>>  no ip address
>> !
>> interface FastEthernet0/8
>>  no ip address
>> !
>> interface FastEthernet0/9
>>  switchport mode access
>>  no ip address
>>  dot1x port-control auto
>> !
>> interface FastEthernet0/10
>>  no ip address
>> !
>> interface FastEthernet0/11
>>  no ip address
>> !
>> interface FastEthernet0/12
>>  no ip address
>> !
>> interface GigabitEthernet0/1
>>  no ip address
>> !
>> interface GigabitEthernet0/2
>>  no ip address
>> !
>> interface Vlan1
>>  ip address xxx.xxx.xxx.209 255.255.255.0
>>  no ip route-cache
>> !
>> ip default-gateway xxx.xxx.xxx.1
>> ip http server
>> !
>> snmp-server engineID local 800000090300000BBE855001
>> snmp-server group grp_snmp v3 auth
>> snmp-server community xxx RO
>> snmp-server enable traps snmp linkdown linkup
>> snmp-server host xxx.xxx.xxx.101 version 2c pub
>> radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx
>> radius-server retransmit 3
>> !
>> line con 0
>>  ip netmask-format decimal
>> line vty 0 4
>>  password 7 xxxxx
>> line vty 5 15
>>  password 7xxxxxx
>> !
>> ntp clock-period 17179903
>> ntp server xxx.xxx.xxx.196
>> end
>>
>> ---------- Original Message ----------------------------------
>> From: David ROUMANET <[EMAIL PROTECTED]>
>> Reply-To: freeradius-users@lists.freeradius.org
>> Date:  Thu, 10 Mar 2005 10:27:28 +0100
>>
>>> Try this :
>>> Tunnel-Type := VLAN,
>>> Tunnel-Medium-Type := IEEE-802,
>>> Tunnel-Private-Group-Id := 13,
>>>
>>> It works on my FreeRADIUS
>>>
>>>
>>> Horschtel a écrit :
>>>
>>>> Hi my situation is freeradius give the switch wrong attribute
>>>> parameters.
>>>>
>>>> The “users” config file says:
>>>>
>>>> …
>>>> Username  Auth-Type == EAP, User-Password == “xxx”
>>>>    Framed-Type = Framed,
>>>>    Tunnel-Medium-Type:1 = 6,
>>>>    Tunnel-Type:1 = 13,
>>>>    Tunnel-Private-Group-ID:1 = 13
>>>> ….
>>>>
>>>> on freeradius debuging I can see:
>>>>
>>>> …..
>>>> Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812
>>>>    Tunnel-Medium-Type:1 =  IEEE-802
>>>>    Tunnel-Type:1 = VLAN
>>>>    Tunnel-Private-Group-Id = “13”
>>>> ……
>>>>
>>>> and that’s the problem. I think the Tunnel-Private-Group-Id is not
>>>> more an
>>>> Integer
>>>>
>>>> The Switch Radius Debug
>>>>
>>>> 04:57:06:         Attribute 65 6 01000006
>>>> 04:57:06:         Attribute 64 6 0100000D
>>>> 04:57:06:         Attribute 81 5 0131334F
>>>>
>>>> Attribute 65 and 64 are ok but Attribute 81 is the problem
>>>>
>>>>
>>>>
>>>>
>>>> ________________________________________________________________
>>>> Sent via the WebMail system at oleco.net
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>>
>>>
>>> --
>>> CICG <http://www.grenet.fr/>David ROUMANET
>>> Tel : 04 76 51 46 08
>>> *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>>
>>
>> ________________________________________________________________
>> Sent via the WebMail system at oleco.net
>>
>>
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>





________________________________________________________________
Sent via the WebMail system at oleco.net






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

Reply via email to
