Using freeradius and 802.1x for dynamic VLAN on Cisco 2950
HOWLETT C DsicEmi
Claire.Howlett at socgen.com
Thu Oct 6 10:53:54 CEST 2005
Hi Everyone,
Dave,
Are you sure the command aaa authentication network default group radius is valid on 2950 switches ? I am running Version 12.1(22)EA5, which was the last stable image in july and "network" is not available as aaa authentication option.
If anyone has met any success with dynamic VLAN assignment on Cisco 29502 with FreeRadius. I am interested !
Here is how my user is declared:
Client_Arpege Auth-Type := EAP
Service-Type = Framed-User,
Reply-Message = "Authentification OK - Bienvenue sur le RCSG",
Tunnel-Type = :1:VLAN,
Tunnel-Medium-Type = :1:6,
Tunnel-Private-Group-ID = :1:140
:1: are used to give tags a value of 1, 6 is interprested by FreeRadius as IEEE-802.
I have checked with Ethereal and the paquet sent seems OK. I think the problem comes from the switch.
Here is the configuration file:
!
version 12.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname Switch802_1x
!
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa accounting dot1x default start-stop group radius
enable password ********
!
username admin secret 5 $1$IqQs$tJ9S4pfeDfZR42vlaFrbQ1
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
switchport access vlan 136
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 136
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 136
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 136
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/5
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/7
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/8
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/9
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/10
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/11
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 141
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.e6a7.09d8
spanning-tree portfast
!
interface FastEthernet0/13
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/14
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/15
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/16
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/17
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/18
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/19
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/20
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/21
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/22
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/23
switchport mode access
dot1x port-control auto
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk native vlan 136
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan136
ip address XX.XX.XX.XX 255.255.255.0
no ip route-cache
!
ip default-gateway YY.YY.YY.YY
ip http server
logging trap notifications
logging facility local6
logging ZZ.ZZ.ZZ.ZZ
radius-server host ZZ.ZZ.ZZ.ZZ auth-port 1812 acct-port 1813 key testing123
radius-server retransmit 3
!
line con 0
exec-timeout 0 0
password ********
line vty 0 4
exec-timeout 0 0
password ********
line vty 5 15
exec-timeout 0 0
password ********
!
!
end
The Client is connected to port 0/23 which is dot1x enabled. It is authenticated (interface is up and logs in Freeradius prove that it's OK) BUT interface 0/23 remains in vlan 1, whereas it should be switched to vlan 140.
Switch802_1x#sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Gi0/1, Gi0/2
136 reseau_PFT-DEF active Fa0/1, Fa0/2, Fa0/3, Fa0/4
140 VLAN0140 active
141 VLAN0141 active Fa0/12
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
If anyone can help me... I am losing hope ;-(
Claire, claire.howlett at socgen.com
=======================================================
Ce message et toutes les pieces jointes (ci-apres le "message")
sont confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration.
La SOCIETE GENERALE et ses filiales declinent toute responsabilite
au titre de ce message s'il a ete altere, deforme ou falsifie.
=======================================================
This message and any attachments (the "message") are confidential
and intended solely for the addressees.
Any unauthorized use or dissemination is prohibited.
E-mails are susceptible to alteration.
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates
shall be liable for the message if altered, changed or falsified.
=======================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051006/05378e20/attachment.html>
More information about the Freeradius-Users
mailing list