We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good.
We are trying to get dynamic vlan assigmnet from freeradius version .... with local user database using eap-ttls-pap. But client PC was able to authenticator, but is not in the intented VLAN(dynamic vlan assignment is not working). Any suggestion is highly appreciated. FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu DEBUG INFO TTLS: Got tunneled reply RADIUS code 2 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "552" Wed Nov 7 11:48:33 2007 : Debug: TTLS: Got tunneled Access-Accept Wed Nov 7 11:48:33 2007 : Debug: rlm_eap: Freeing handler Wed Nov 7 11:48:33 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall[authenticate]: module "eap" returns ok for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall: leaving group authenticate (returns ok) for request 29 Sending Access-Accept of id 4 to 128.186.252.8 port 1645 USER FILE userx Cleartext-Password := "hello" Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = "552" debug dot1x all in cisco showed that switching is successfully assign vlan 0 the fa0/2(dot1x enabled port) after getting authenticated. We are thinking this means vlan is not communicated between the freeradius and switch, but we don't know why. The test switch is cisco3550 running ios 12.2(35)SE. I have ( also tried the configuration in freeradius wiki, the same result) aaa new model aaa authorization network default group radius aaa authentication dot1x default group radius and dot1x system-auth-control fa0/2 is my test port. med-res-t#sh run Building configuration... Current configuration : 3450 bytes ! ! Last configuration change at 11:19:46 eastern Wed Nov 7 2007 by cisco ! NVRAM config last updated at 11:17:30 eastern Wed Nov 7 2007 by cisco ! version 12.2 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname med-res-t ! logging buffered 65536 debugging no logging console enable secret 5 ***** ! username cisco privilege 15 secret 5 ******* aaa new-model aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius ! aaa session-id common clock timezone eastern -5 ip subnet-zero ip domain-name test.edu ! ip ssh version 2 vtp mode transparent ! ! ! ! ! dot1x system-auth-control no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 100,200 ! ! vlan 552 name test-fwsm-lan ! vlan 553 name retricted-vlan ! ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode access dot1x pae authenticator dot1x port-control auto spanning-tree portfast ! ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 543,552 switchport mode trunk switchport nonegotiate ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan552 ip address 10.128.252.8 255.255.255.0 ! ip default-gateway 10.128.252.1 ip classless ip http server ip http secure-server ! ! radius-server host 10.128.33.163 auth-port 1612 acct-port 1646 key 7 070C285F4D06 radius-server source-ports 1645-1646 ! control-plane ! line con 0 line vty 5 15 ! ntp clock-period 17179941 ntp server 10.128.8.8 end med-res-t# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html