Cisco AAA/Identity/Nac :: Use 802.1x To Authenticate Clients On Network With Dynamic VLAN Assignment From RADIUS?
Apr 11, 2013
I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:Connect the phone and let it boot up(takes a while) and authenticate with MAB.Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan) However, the following scenario doesn't work:The computer is already connected to the phoneThe phone is then connected to the switch What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config: network-policy profile 1voice vlan 90!interface GigabitEthernet0/12switchport mode accessnetwork-policy 1authentication control-direction inauthentication event fail retry 1 action authorize vlan 60authentication event server dead action authorize vlan 60authentication event no-response action authorize vlan 60authentication event server alive action reinitializeauthentication host-mode multi-domainauthentication order mab dot1xauthentication priority mab dot1xauthentication port-control autoauthentication periodicauthentication violation replacemabdot1x pae authenticatordot1x timeout tx-period 5dot1x max-reauth-req 1spanning-tree portfast!Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).
View 2 Replies
ADVERTISEMENT
Jan 28, 2013
When the users connect their laptop they are getting a authentication prompt but the switch is not changing the VLANs on the port after successful authentication.Below are the logs on the switch
Jan 28 2013 17:21:32.417 CST: RADIUS: Framed-MTU [12] 6 1500
Jan 28 2013 17:21:32.417 CST: RADIUS: Called-Station-Id [30] 19 "E4-D3-F1-0B-C6-0A"
Jan 28 2013 17:21:32.417 CST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-A8-BD-1D"
Jan 28 2013 17:21:32.417 CST: RADIUS: EAP-Message [79] 45
[code]....
View 1 Replies
View Related
Nov 23, 2012
I`m working on Dynamic Vlan Assigmenton the basis of end user authenticatedwhoc are part of specific AD Group in c ampus enviorment.Objective: Need to assign the vlan on switch port on the basis of authenticated users OU Group in Active Directory. Eg: There are 2 OU groups in AD, Sales and Administration. Authenticated user in Sales group should get Vlan 10 and user in Admininstration Group shoudl get Vlan 20.
Components:
Cisco 3750x/Cisco 4500
ACS Version 5.2
Microsoft AD
View 1 Replies
View Related
Jan 16, 2011
I have just upgraded our WLC from 4.0 to 7.0 (via 4.2). Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?
View 8 Replies
View Related
Dec 13, 2012
I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. IAS and AD is running on Windows Server 2003.Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately,[code] I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.
View 16 Replies
View Related
Nov 27, 2012
Does the WAP4410N support Dynamic VLAN assignment by means of 802.1x authentication?
The reason why I ask this; I am able to configure a SSID on a WAP4410N with WPA2-Enterprise, in combination with 802.1x PEAP network authentication. I can succesfully connect Windows, Windows RT, Windows Phone, iOS and Android devices. But.. I am unable to designate them to another VLAN based on access/connection policies. For example; I want mobile devices such as iPhone and Windows Phone to be assigned to a specific VLAN. The Wireless Access Point (authenticator) must be able to support that.
This is my setup:
Spplicants: Windows 8 / iPad / ...
Authenticator: WAP4410N
Authentication Server: Microsoft NPS (Network Policy Server)
I used 802.1x PEAP (Protected EAP) with password (domain user) authentication. In fact, the suplicants communicate with 802.1x to the authenticator. The authenticator communicates with RADIUS to the authentication server. NAP is not in between. It's just plain 802.1x authentication.
wether dynamic VLAN assignment is supported?
View 5 Replies
View Related
Jul 11, 2012
I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right? Doesn't this limitation significantly reduce the usefulness of the DVA feature?
View 2 Replies
View Related
Jan 13, 2013
I want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.
View 3 Replies
View Related
Sep 10, 2012
The Wireless_Employees authorization profile,assign vlan 666 for wireless employees.ISE is passing VLAN 666 to the WLC - see attachement Radius Auth-VLAN666.jpg then I look on the WLC at a wireless employee who has successuflly connected to the network, WLC is still placing him in the pre-configured VLAN 7.
1. can VLAN be pushed from ISE to the WLC (code 7.2.103) for specific user session?
View 3 Replies
View Related
May 18, 2013
I am configuring 802.1X in a 3560 Switch, my Radius server is a Microsoft IAS, when I connect a station of a guest user, the guest-vlan is not assigned in the port, and I have these logs:
May 8 21:23:02: dot1x-ev:Received an EAP Timeout on FastEthernet0/8 for mac 0000.0000.0000
May 8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not
[Code].....
View 7 Replies
View Related
Aug 21, 2012
I am using several SG300-28 Switches with firmware version 1.1.2.0.I have dynamic VLAN enabled. As RADIUS server I am using free radius 2.1.12.Authentication is only based on the MAC address. (I configured that on the switches)On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches). I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on free radius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the free radius log then this MAC address was successfully authorized.
The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN. If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP. This is happening randomly on nearly all my PCs.
Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
View 14 Replies
View Related
Apr 14, 2013
We have had an active ACS unit for many years now, and we've added a second one, both are 1121 Appliances. The newer one came with 5.4, so we upgraded the older one to 5.4.
We setup replication between the two, with the newer one primary and the older one secondary. Problem is, windows based clients are unable to authenticate to the older ACS appliance. The only problem we can see is that it indicates that adclient is not running, under Monitoring & Troubleshooting, ACS Health Instance Summary.
So... been trying to figure out how to correct this, yet have been hard pressed to find a knowledgebase article that works. So far, Cisco hasn't added my smartNet on the new box so I can get some support?
View 6 Replies
View Related
Apr 14, 2011
I have a question its posible to authenticate an cisco phone and PC with the same vlan(voice and data)when i do this configuratión , the phone and pc dont work. The phone display registering and never finished.interface FastEthernet0/5 switchport mode access switchport voice vlan 1 authentication event fail action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication host-mode multi-domain authentication port-control auto authentication periodic authentication violation protect mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfastend.
View 1 Replies
View Related
Aug 7, 2011
I have Remote Access VPN users (IPsec) who are terminated on Cisco ASA 5520 (v8.2). For those users, AAA is done on the ACS. Group-policies and tunnel groups are defined on ASA. Initialy I had all VPN users defined on ASA and group policies were associated with each user. Each group policy had it’s own IP pool for users. Now, I moved users to ACS. How can I associate group policy, defined on ASA, with users group defined on ACS? Is it possible that ACS send to ASA information about IP pool for different group policy? Users will use ONE vpn profile BUT based on the Active Directory group they belong to they obtain a different IP address for each group.Can it be done ? ACS version is 5.2.
View 1 Replies
View Related
Jan 6, 2013
Is it possible to disable DCA for a couple of APs and manually force the channels assignment ?
View 3 Replies
View Related
Nov 14, 2012
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.We do not know whether we configured switch in proper way or do we need to modify it. [code]
View 5 Replies
View Related
Nov 5, 2012
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
View 1 Replies
View Related
Nov 10, 2011
I am not sure what I am trying to do is possible, so I thought I would pose the question on here. In ACS 5.3, I would like to use an RSA server and AD to authenticate my network devices. So when I log into a router or switch I would enter my AD username, be prompted for my RSA token, then when I enable be prompted for my AD password, or visa versa. how to write an access policy to achive this?
View 2 Replies
View Related
Jan 30, 2013
I have been trying to set this up for like 4 hours. What a waste of time. This should be as easy as punching in the IP and password for the radius server. It isn't.I have a brand new SG-300-10. LATEST firmwawre, I just updated it about 5 minutes ago. 1.2.7.6 I think.This is what I have done so far in the GUI: (I have CLI access too if necessary)
Security > RADIUS and entered my radius IP/secret there.
Security > Access Management Profiles > Create new template called ALL that permits access to all applications. Set it as active also.
Security > Management Access Authentication > For HTTP and SSH
I put RADIUS first then Local second.My radius server works. As I type this message I am logging in via radius with OpenBSD/Centos even Fedora. (If OpenBSD can do it, these switches can do it.)But whenever I try to login with RADIUS credentials to my switch, I get no logs or any connectivity reports on my radius server? Is the switch even attempting to contact the server? The logs dont show anything regarding RADIUS. I am trying a reboot now, but I don't think that should be necessary.Is there a step I missed? When first looking at this I expected it to be done in 5 minutes. I have been on this for lik 4 hours. Isimply want to login to the administration console (web gui) using RADIUS credentials.
View 5 Replies
View Related
Sep 8, 2011
I am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
View 1 Replies
View Related
Apr 3, 2013
Is it possible to have ASDM and SSH authenticate via different means on a RADIUS server? In particular, I have a single aaa-server group that's used for both ASDM and SSH, but I want to limit ASDM access to only a particular group in Active Directory (for example). I looked at various different requests (from the server's perspective) to see if there was a way that they (ASDM requests and SSH requests) were differentiated but was unable to find any. It would be ideal if there was something inherent about the RADIUS request coming from ASDM vs SSH so that I could build that decision making into the RADIUS server.I know I could do this by just using a different aaa-server group for each access method, but I want to avoid that if possible.
View 7 Replies
View Related
Apr 8, 2013
I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead?
View 3 Replies
View Related
Feb 5, 2013
We use a Flex7500 with local switching and centeral authentication. My question is can i use the Customer's radius server in order to authenticate? or should my WLC have IP conncetivity to any radius server im adding?I guess what i'm really asking is should my WLC know the radius server or does the request can go back to the AP and from there to customer radius on his subnet?
View 6 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Dec 18, 2011
I'm using a radius server to authenticate ssh when connecting to my company's switches (a 3560 + several 2960s).
Everywhere I've looked claims that using the line 'transport input ssh' in my switch config should disable telnet access and allow ssh only. But after changing 'transport input ssh telnet' to 'transport input ssh' I can still connect to all of the switches from telnet. I can't block telnet with ACLs either because my company uses a telnet based terminal client to do most of their work.
I don't have much experience with radius. How do I stop telnet connections when using radius to authenticate?
View 5 Replies
View Related
Apr 19, 2011
I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?
View 1 Replies
View Related
Feb 6, 2012
I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old ACS v3.3 server.
Example : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
View 2 Replies
View Related
May 1, 2013
I'm trying to configure ACS 5.4 as radius server for network access (PPP connections).In monitoring and reports the users have green color , but the clients cannot send data. Auth method is CHAP/MD5.
Allowed protocols are set to CHAP and PAP only.
View 5 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
Dec 1, 2011
my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?
View 1 Replies
View Related
Jun 7, 2011
how I can assign a static IP to a user in ACS 5.2. I am able to do it in ACS 4.2, but I don't see the same options under 5.2. General idea is that users authenticate from our VPN appliance via RADIUS, and upon authentication, their static IP is passed back to the VPN device. I can attach an arbitrary field to my local users by going to System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users, but how do I get that IP address passed back when the user is authenticated via Radius?
View 1 Replies
View Related
Apr 26, 2011
my customer has FreeRadius, and I'm trying to get the server to assign a network admin role to a 5K running 5.0.3 code.This is based on the example given in this document: url...The server authenticates the user name, but will only put the user into the network operator role. This is confirmed by checking the output of show user-account and debug security user-db.The Radius test using the same credentials passes the authentication test. I'm sure the problem is that the N5K dosent understand the VSA format of the attribute, and that this is a simple syntax problem.
View 2 Replies
View Related
Aug 30, 2012
Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.
View 4 Replies
View Related