<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2722" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=218370210-06102005><FONT face=Arial
color=#0000ff size=2>I think you need to apply this command to the
port:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=218370210-06102005><FONT face=Arial
color=#0000ff size=2>switchport access vlan dynamic</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=218370210-06102005><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=218370210-06102005><FONT face=Arial
color=#0000ff size=2>- Øystein Gåsdal</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> HOWLETT C DsicEmi
[mailto:Claire.Howlett@socgen.com] <BR><B>Sent:</B> 6. oktober 2005
10:54<BR><B>To:</B> freeradius-users@lists.freeradius.org<BR><B>Subject:</B>
Using freeradius and 802.1x for dynamic VLAN on Cisco 2950<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2><SPAN class=843194707-06102005>Hi
Everyone,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=843194707-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=843194707-06102005>Dave,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=843194707-06102005>Are you sure the
command <EM>aaa authentication network default group radius</EM> is valid
on 2950 switches ? I am running Version 12.1(22)EA5, which was the last stable
image in july and "network" is not available as aaa authentication
option.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=843194707-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=843194707-06102005>If anyone has met
any success with dynamic VLAN assignment on Cisco 29502 with FreeRadius. I
am interested !</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=843194707-06102005>Here is how my user
is declared:</SPAN></FONT></DIV>
<DIV><FONT size=+0><SPAN class=843194707-06102005> </DIV>
<DIV><FONT face=Arial size=2>Client_Arpege Auth-Type := EAP</FONT></DIV>
<DIV><FONT face=Arial size=2>Service-Type = Framed-User,</FONT></DIV>
<DIV><FONT face=Arial size=2>Reply-Message = "Authentification OK - Bienvenue
sur le RCSG",</FONT></DIV>
<DIV><FONT face=Arial size=2>Tunnel-Type = :1:VLAN,</FONT></DIV>
<DIV><FONT face=Arial size=2>Tunnel-Medium-Type = :1:6,</FONT></DIV>
<DIV><FONT face=Arial size=2>Tunnel-Private-Group-ID = :1:140</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV></SPAN></FONT><SPAN class=843194707-06102005><FONT face=Arial size=2>:1:
are used to give tags a value of 1, 6 is interprested by FreeRadius as IEEE-802.
</FONT></SPAN></DIV>
<DIV><SPAN class=843194707-06102005><FONT face=Arial size=2>I have checked with
Ethereal and the paquet sent seems OK. I think the problem comes from the
switch.</FONT></SPAN></DIV>
<DIV><SPAN class=843194707-06102005><FONT face=Arial size=2>Here is the
configuration file:</FONT></SPAN></DIV><SPAN class=843194707-06102005>
<DIV><BR><FONT face=Arial size=2>!<BR>version 12.1<BR>no service pad<BR>service
timestamps debug datetime msec localtime<BR>service timestamps log datetime msec
localtime<BR>no service password-encryption<BR>!<BR>hostname
Switch802_1x<BR>!<BR>aaa new-model<BR>aaa authentication login default group
radius local<BR>aaa authentication dot1x default group radius<BR>aaa
authorization exec default group radius if-authenticated<BR>aaa accounting dot1x
default start-stop group radius<BR>enable password ********<BR>!<BR>username
admin secret 5 $1$IqQs$tJ9S4pfeDfZR42vlaFrbQ1<BR>ip
subnet-zero<BR>!<BR>!<BR>spanning-tree mode pvst<BR>no spanning-tree optimize
bpdu transmission<BR>spanning-tree extend system-id<BR>dot1x
system-auth-control<BR>!<BR>!<BR>!<BR>!<BR>interface
FastEthernet0/1<BR> switchport access vlan 136<BR> switchport mode
access<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/2<BR> switchport access vlan 136<BR> switchport mode
access<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/3<BR> switchport access vlan 136<BR> switchport mode
access<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/4<BR> switchport access vlan 136<BR> switchport mode
access<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/5<BR> switchport mode access<BR> dot1x port-control auto
<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/6<BR> switchport mode access<BR> dot1x port-control auto
<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/7<BR> switchport mode access<BR> dot1x port-control auto
<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/8<BR> switchport mode access<BR> dot1x port-control auto
<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/9<BR> switchport mode access<BR> dot1x port-control auto
<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/10<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/11<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/12<BR> switchport access vlan 141<BR> switchport mode
access<BR> switchport port-security<BR> switchport port-security
mac-address sticky<BR> switchport port-security mac-address sticky
0001.e6a7.09d8<BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/13<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/14<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/15<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/16<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/17<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/18<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/19<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/20<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/21<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/22<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/23<BR> switchport mode access<BR> dot1x port-control
auto <BR> spanning-tree portfast<BR>!<BR>interface
FastEthernet0/24<BR> switchport trunk native vlan 136<BR> switchport
mode trunk<BR>!<BR>interface GigabitEthernet0/1<BR>!<BR>interface
GigabitEthernet0/2<BR>!<BR>interface Vlan1<BR> no ip address<BR> no ip
route-cache<BR> shutdown<BR>!<BR>interface Vlan136<BR> ip address
XX.XX.XX.XX 255.255.255.0<BR> no ip route-cache<BR>!<BR>ip default-gateway
YY.YY.YY.YY<BR>ip http server<BR>logging trap notifications<BR>logging facility
local6<BR>logging ZZ.ZZ.ZZ.ZZ<BR>radius-server host ZZ.ZZ.ZZ.ZZ auth-port 1812
acct-port 1813 key testing123<BR>radius-server retransmit 3<BR>!<BR>line con
0<BR> exec-timeout 0 0<BR> password ********<BR>line vty 0
4<BR> exec-timeout 0 0<BR> password ********<BR>line vty 5
15<BR> exec-timeout 0 0<BR> password
********<BR>!<BR>!<BR>end<BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><SPAN class=843194707-06102005><FONT face=Arial size=2>The Client is
connected to port 0/23 which is dot1x enabled. It is authenticated (interface is
up and logs in Freeradius prove that it's OK) BUT interface 0/23 remains in
vlan 1, whereas it should be switched to vlan 140.</FONT></SPAN></DIV>
<DIV><SPAN class=843194707-06102005><FONT face=Arial size=2>Switch802_1x#sh vlan
brief</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=843194707-06102005><FONT face=Arial size=2>VLAN
Name
Status Ports<BR>---- --------------------------------
--------- -------------------------------<BR><STRONG>1
default</STRONG>
active Fa0/5, Fa0/6, Fa0/7,
Fa0/8<BR>
Fa0/9, Fa0/10, Fa0/11,
Fa0/13<BR>
Fa0/14, Fa0/15, Fa0/16,
Fa0/17<BR>
Fa0/18, Fa0/19, Fa0/20,
Fa0/21<BR>
Fa0/22, <STRONG>Fa0/23</STRONG>, Gi0/1, Gi0/2<BR>136
reseau_PFT-DEF
active Fa0/1, Fa0/2, Fa0/3, Fa0/4<BR>140
VLAN0140
active<BR>141
VLAN0141
active Fa0/12<BR>1002
fddi-default
act/unsup<BR>1003
token-ring-default
act/unsup<BR>1004
fddinet-default
act/unsup<BR>1005
trnet-default
act/unsup</FONT> </SPAN></DIV></SPAN>
<DIV><SPAN class=843194707-06102005><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=843194707-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=843194707-06102005>If anyone can help
me... I am losing hope ;-(</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=843194707-06102005></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=843194707-06102005>Claire,
claire.howlett@socgen.com</SPAN></FONT></DIV><FONT
size=3><BR><BR>=======================================================<BR><BR>Ce
message et toutes les pieces jointes (ci-apres le "message") <BR>sont
confidentiels et etablis a l'intention exclusive de ses destinataires.<BR>Toute
utilisation ou diffusion non autorisee est interdite. <BR>Tout message
electronique est susceptible d'alteration. <BR>La SOCIETE GENERALE et ses
filiales declinent toute responsabilite<BR>au titre de ce message s'il a ete
altere, deforme ou
falsifie.<BR><BR>=======================================================<BR><BR>This
message and any attachments (the "message") are confidential<BR>and intended
solely for the addressees.<BR>Any unauthorized use or dissemination is
prohibited. <BR>E-mails are susceptible to alteration. <BR>Neither SOCIETE
GENERALE nor any of its subsidiaries or affiliates<BR>shall be liable for the
message if altered, changed or falsified.
<BR><BR>=======================================================<BR></FONT></BODY></HTML>