UAC 4500 3.0 with Cisco Switches 802.1x and VLANs

Deimark_ · ‎08-24-2009

Hi all

Yup, I know cisco aint popular round here but I have a limitation on a customer site where Ciscos are the layer 2 devices.

Am trying to get the 802.1x working through the IC and I am almost there.

I have got the user auth working fine and the IC sends the VLAN tag down the wire but it does not seem to be accepted by the cisco.

I have the followng configured:

1. Role map to map my test user to "test" role

2. Test role is assigned the VLAN=10

3. Cisco switch added as RADIUS client (set as cisco)

In the logs, I see my test user authenitcate via RADIUS and get assigned the correct VLAN.

I have also tried adding another attribute to the info for the RADIUS attributes of Tunnel-Private-Group-ID with teh VLAN name (as it seems the cisco wants the name sent, not the VLAN number) but to no avail.

My cisco config for the relevant settings are:

aaa new-model
aaa authentication dot1x default group radius
enable secret 5 $1$6FRK$vPQCfaxF0ZFIiifROUQ8h/

dot1x system-auth-control

interface FastEthernet0/22
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/23
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
!

radius-server host 192.168.9.55 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key *******

Am I missing something from the cisco config to make it work with UAC?

Any assistance here would be great.

TIA

DM

StanislasP_ · ‎08-27-2009

Hi,

when you select VLAN in Radius Attribute Policy, it replace the following three attributes:

Tunnel-Type : Set this to VLAN (type 13).

Tunnel-Medium-Type : Set this to 802 (type 6)

Tunnel-Private-Group-ID : Set this to VLAN ID.

configuration of switch must contain (validated on 3750) :

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

radius-server attribute 8 include-in-access-req
radius-server host XXXXXX auth-port 1645 acct-port 1646 key <KEY>

interface FastEthernet0/48
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
spanning-tree portfast

Deimark_ · ‎08-27-2009

Thanks for posting

I forgot to metnion, in my test envirinment, I am using Cisco 2950s, running 12.1 (yes, I am aware that its old, but so are the boxes. )

Some of the config you have listed for the switch, is not available to me which I suspect is due to the old version of IOS I have, however, the problem I see is that even after setting the Tunnel-Private-Group-ID as a specifi parameter (to make sure I definitely have the right info being sent) I still see no errors or recognistion on the switch.

Ah well, i will keep at this and try to get a newer version of IOS in case its the version mismatch.

Thanks

StanislasP_ · ‎08-27-2009

The next configuration was validated on the version 12.1:
C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

dot1x system-auth-control

interface FastEthernet0/48
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
spanning-tree portfast

radius-server host XXXXXXXXX auth-port 1645 acct-port 1646 key <KEY>
radius-server retransmit 3

Deimark_ · ‎08-27-2009

Excellent, thanks for that. I could not find any example config to sue on 2950s.

I will give this a go and get back to you if Imamange to make a mes of it.

Thanks again.

DM

UAC 4500 3.0 with Cisco Switches 802.1x and VLANs

UAC 4500 3.0 with Cisco Switches 802.1x and VLANs

Re: UAC 4500 3.0 with Cisco Switches 802.1x and VLANs

Re: UAC 4500 3.0 with Cisco Switches 802.1x and VLANs

Re: UAC 4500 3.0 with Cisco Switches 802.1x and VLANs

Re: UAC 4500 3.0 with Cisco Switches 802.1x and VLANs