Dynamic Vlan assigment 802.1x with cisco

Alexander Clouter alex at digriz.org.uk
Thu Apr 22 10:39:54 CEST 2010 

Guillermo Borrallo <guillebs89 at hotmail.com> wrote:
> 
> I have a problem to change vlan on a Catalyst 2950 switch using the 
> 802.1x protocol. The problem is that no changes to the vlan you 
> specified. The authentication and validation of the user is correct, 
> but does not change vlan.
>
You might want to consider reading the *Cisco* documentation...on 
the...erm...*Cisco* website rather than posting on the FreeRADIUS 
mailing list about problems you are having with your...erm...*Cisco* 
equipment?

Unsurprisingly this is where *FreeRADIUS* problems are solved...not 
$OTHER_VENDUH issues.
 
I could also argue that this information is lurking in the FreeRADIUS 
wiki:

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO#Configuration_of_the_switch

> Freeradius User Configuration:
>
> steve Cleartext-Password := "testing" Service-Type = Framed-User, 
> Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, 
> Tunnel-Private-Group-ID = 2
>
I have no idea why people keep insisting on doing this, but make 
'Tunnel-Private-Group-ID' the VLAN *name*.   You are only going to end 
up killing yourself later on if you insist on using VLAN ID's.

You should also type:
----
vlan 1
  name cheese
vlan 2
  name toast
----

Then you can use 'cheese' and 'toast' to put people into VLAN's instead; 
handy if you have to send this information across administrative 
domains.

> Switch 2950 configuration:
> aaa new-model
> aaa authentication login default local
> aaa authentication dot1x default group radius
>
*sigh*

For those who cannot be bothered to read the readily, freely, non-login 
protected available documentation[1]:
----
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
----

If that does not work, I cannot be bothered to check the rest of your 
(incomplete) config so I recommend you read the...erm...documentation.

Regards

[1] http://www.cisco.com/en/US/products/hw/switches/ps628/tsd_products_support_series_home.html
	and more specifically http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/sw8021x.html

-- 
Alexander Clouter
.sigmonster says: Do not use if foil seal is broken.

More information about the Freeradius-Users mailing list