Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

Øystein Gåsdal dal at alesund.kommune.no
Thu Oct 6 12:06:20 CEST 2005 

I think you need to apply this command to the port:
switchport access vlan dynamic
 
- Øystein Gåsdal

  _____  

From: HOWLETT C DsicEmi [mailto:Claire.Howlett at socgen.com] 
Sent: 6. oktober 2005 10:54
To: freeradius-users at lists.freeradius.org
Subject: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950


Hi Everyone,
 
Dave,
Are you sure the command aaa authentication network default group radius is
valid on 2950 switches ? I am running Version 12.1(22)EA5, which was the
last stable image in july and "network" is not available as aaa
authentication option.
 
If anyone has met any success with dynamic VLAN assignment on Cisco 29502
with FreeRadius. I am interested !
Here is how my user is declared:
 
Client_Arpege Auth-Type := EAP
Service-Type = Framed-User,
Reply-Message = "Authentification OK - Bienvenue sur le RCSG",
Tunnel-Type = :1:VLAN,
Tunnel-Medium-Type = :1:6,
Tunnel-Private-Group-ID = :1:140
 
:1: are used to give tags a value of 1, 6 is interprested by FreeRadius as
IEEE-802. 
I have checked with Ethereal and the paquet sent seems OK. I think the
problem comes from the switch.
Here is the configuration file:

!
version 12.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname Switch802_1x
!
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa accounting dot1x default start-stop group radius
enable password ********
!
username admin secret 5 $1$IqQs$tJ9S4pfeDfZR42vlaFrbQ1
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 136
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 136
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 136
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 136
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/8
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 141
 switchport mode access
 switchport port-security
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0001.e6a7.09d8
 spanning-tree portfast
!
interface FastEthernet0/13
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/14
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/15
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/16
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/17
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/18
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/19
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/20
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/21
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/23
 switchport mode access
 dot1x port-control auto 
 spanning-tree portfast
!
interface FastEthernet0/24
 switchport trunk native vlan 136
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan136
 ip address XX.XX.XX.XX 255.255.255.0
 no ip route-cache
!
ip default-gateway YY.YY.YY.YY
ip http server
logging trap notifications
logging facility local6
logging ZZ.ZZ.ZZ.ZZ
radius-server host ZZ.ZZ.ZZ.ZZ auth-port 1812 acct-port 1813 key testing123
radius-server retransmit 3
!
line con 0
 exec-timeout 0 0
 password ********
line vty 0 4
 exec-timeout 0 0
 password ********
line vty 5 15
 exec-timeout 0 0
 password ********
!
!
end

 
The Client is connected to port 0/23 which is dot1x enabled. It is
authenticated (interface is up and logs in Freeradius prove that it's OK)
BUT interface 0/23 remains in vlan 1, whereas it should be switched to vlan
140.
Switch802_1x#sh vlan brief
 
VLAN Name                             Status    Ports
---- -------------------------------- ---------
-------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11,
Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16,
Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20,
Fa0/21
                                                Fa0/22, Fa0/23, Gi0/1, Gi0/2
136  reseau_PFT-DEF                   active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
140  VLAN0140                         active
141  VLAN0141                         active    Fa0/12
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup 
 
 
If anyone can help me... I am losing hope ;-(
 
Claire, claire.howlett at socgen.com


=======================================================

Ce message et toutes les pieces jointes (ci-apres le "message") 
sont confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite. 
Tout message electronique est susceptible d'alteration. 
La SOCIETE GENERALE et ses filiales declinent toute responsabilite
au titre de ce message s'il a ete altere, deforme ou falsifie.

=======================================================

This message and any attachments (the "message") are confidential
and intended solely for the addressees.
Any unauthorized use or dissemination is prohibited. 
E-mails are susceptible to alteration. 
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates
shall be liable for the message if altered, changed or falsified. 

=======================================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051006/893a7251/attachment.html>

More information about the Freeradius-Users mailing list