Home > switch > Regarding Dot1X dynamic VLAN assignment

Regarding Dot1X dynamic VLAN assignment

August 28Hits:4
Advertisement

Situation:

I am trying to get 802.1X working for me. I want RADIUS server to dynamically assign VLANs to ports based on RADIUS reply attribute for particular user. I have an HP E2620 switch and a FreeRADIUS server. The supplicant is a Windows 8.1 machine

I referred to this document on freeradius website.



What I've done so far:

On FreeRADIUS I created a user with such parameters:

dot1xtest    User-Password := "secret"              Tunnel-Type = "VLAN",              Tunnel-Medium-Type = "IEEE-802",              Tunnel-Private-Group-ID = "100" 

I also tried Tunnel-Pvt-Group-ID instead, but it doesn't work on FreeRADIUS, just barks at me (I saw this on resources for configuring on Microsoft NPS, one of these) . Also I tried values "802", 802, 6 for tunnel medium type.

Also I tried to use actual VLAN name instead of VLAN-ID as Group ID value. Anyway its datatype is string.

I configured the HP switch to use this RADIUS server for AAA and set this up for port 10:

aaa port-access gvrp-vlans aaa authentication port-access eap-radius aaa port-access authenticator 10 aaa port-access authenticator 10 auth-vid 150 aaa port-access authenticator 10 unauth-vid 200 aaa port-access authenticator active 


VLANs:

VLAN 100 - VLAN which I want to get after authentication. VLAN 150 - VLAN which I get now, because my config is not working VLAN 200 - Unauthorized VLAN which is used on auth. failure 


Notes:

  • Port 10 also has untagged VLAN 150 assigned to it: vlan 150 untagged 10. And I can't get rid of the static assignment
  • All VLANs listed above are present in switch's VLAN database.
  • Whenever I plug into this port it asks me for credentials; after I succeed with authentication it just sends me to VLAN150 and if I try to fail I get to VLAN200.
  • I enabled 802.1X authentication on Windows connection just like described here.
  • I tried enabling GVRP - it doesn't change anything


Diagnostic/show command output:

Static VLAN assignment for Port 10. VLAN 150 untagged

 SW # show vlans ports 10 detail   Status and Counters - VLAN Information - for ports 10    VLAN ID Name                             | Status     Voice Jumbo Mode   ------- -------------------------------- + ---------- ----- ----- --------   150     VLAN150                          | Port-based No    No    Untagged 

In show logging I see this:

I 08/28/14 08:29:24 00077 ports: port 10 is now off-line I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by AAA I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by STP I 08/28/14 08:29:29 00076 ports: port 10 is now on-line I 08/28/14 08:29:29 00001 vlan: VLAN200 virtual LAN enabled I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by AAA I 08/28/14 08:29:29 00002 vlan: UNUSED virtual LAN disabled I 08/28/14 08:29:29 00435 ports: port 10 is Blocked by STP I 08/28/14 08:29:29 00076 ports: port 10 is now on-line I 08/28/14 08:29:29 00001 vlan: UNUSED virtual LAN enabled I 08/28/14 08:29:47 00002 vlan: UNUSED virtual LAN disabled 

show port-access authenticator output:

SW # show port-access authenticator   Port Access Authenticator Status    Port-access authenticator activated [No] : Yes   Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : Yes         Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl   Port Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir   ---- ------- ------- -------- ------ --------- ----- ------ -----   10   1/0     0       150      No     No        No    No     both 

RADIUS user test:

Linux-server # radtest dot1xtest secret localhost 0 secretkey Sending Access-Request of id 158 to 127.0.0.1 port 1812         User-Name = "dot1xtest"         User-Password = "secret"         NAS-IP-Address = 127.0.0.1         NAS-Port = 0         Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=158, length=37         Tunnel-Type:0 = VLAN         Tunnel-Medium-Type:0 = 802         Tunnel-Private-Group-Id:0 = "100" 

This is what I saw in TCPdump on the RADIUS server. I was capturing outgoing UDP traffic with source port 1812. It's what my switch gets (if it does actually, not sure how to check that...)

      Tunnel Type Attribute (64), length: 6, Value: Tag[Unused]#13         0x0000:  0000 000d       Tunnel Medium Attribute (65), length: 6, Value: Tag[Unused]802         0x0000:  0000 0006       Tunnel Private Group Attribute (81), length: 5, Value: 100         0x0000:  3130 30 

Debug:

debug security radius-server debug security port-access authenticator debug destination buffer 

After that I unplugged and plugged in the cable and did show debug buffer and here is the copy-paste of it. It's weird, nothing is said about any attributed related to VLAN.



Questions:

What am I doing wrong?

I've read in a bunch of resources that if the RADIUS assigns a VLAN ID switch uses that in the first place. Then it falls back to Authorized VLAN configured for Port-Access Authenticator if authentication succeeds. If that is not present it assigns Untagged VLAN configured on the port. Why don't I get that behavior?

I kind of start to think the attribute Tunnel-Private-Group-Id is not supported on these switches. It seems every resource refers to Tunnel-Pvt-Group-Id instead (configuring on Microsoft). Too bad I don't have Windows Server to check.

Maybe it's firmware related? Didn't try to upgrade yet, I use RA_15_06_0009.swi and there's RA_15_14_0007.swi out there already



Update

Just tried on a 3500yl-24G-PWR model and still doesn't work. So.. I'd guess, switches just don't get the config from the RADIUS server (or did I use incorrect attributes or operators?). How can I troubleshoot that?

Answers

Alex, hеllo there!

Ive builded test environmet for you, so i am using freeradius 2.1.12+dfsg-1.2 (on debian), and switch hp 2650. Ive just repeated your config, and have no problems with this. My test procurve ip 10.0.10.29, test freeradius ip 192.168.2.60.

procurve config:

Running configuration:

; J4899A Configuration Editor; Created on release #H.10.83

hostname "ProCurve Switch 2650"
interface 1
   no lacp
exit
interface 2
   no lacp
exit
interface 3
   no lacp
exit
interface 4
   no lacp
exit
interface 5
   no lacp
exit
interface 6
   no lacp
exit
interface 7
   no lacp
exit
interface 8
   no lacp
exit
interface 9
   no lacp
exit
interface 10
   no lacp
exit
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 11-50
   ip address dhcp-bootp
   no untagged 1-10
   exit
vlan 100
   name "success"
   untagged 1-10
   exit
vlan 200
   name "fail"
   exit
aaa authentication port-access eap-radius
radius-server host 192.168.2.60 key test
aaa port-access authenticator 1-10
aaa port-access authenticator 1 unauth-vid 200
aaa port-access authenticator 2 unauth-vid 200
aaa port-access authenticator 3 unauth-vid 200
aaa port-access authenticator 4 unauth-vid 200
aaa port-access authenticator 5 unauth-vid 200
aaa port-access authenticator 6 unauth-vid 200
aaa port-access authenticator 7 unauth-vid 200
aaa port-access authenticator 8 unauth-vid 200
aaa port-access authenticator 9 unauth-vid 200
aaa port-access authenticator 10 unauth-vid 200
aaa port-access authenticator active

/etc/freeradius/users:

<...>
testuser User-Password := test
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = "100"
<...>

/etc/freeradius/radiusd.conf:

<...>
client switch {
        ipaddr          = 10.0.10.29
        secret          = test
        require_message_authenticator = no
        nastype     = other
}
<...>

And i`ve used this manual, to enable 8021x in windows:

http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7

But, I`ve disabled usage of logged user creds.

So, if user creds are correct, i have this message in /var/log/freeradius/radius.log

tail -f /var/log/freeradius/radius.log
Fri Sep  5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep  5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)

and on my switch ive got:

ProCurve Switch 2650(eth-1)# sh vlans ports 1

 Status and Counters - VLAN Information - for ports 1

  802.1Q VLAN ID Name         Status       Voice
  -------------- ------------ ------------ -----
  100            success      Port-based   No

If creds are incorrect:

Fri Sep  5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep  5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)

ProCurve Switch 2650(eth-1)# sh vlans ports 1

 Status and Counters - VLAN Information - for ports 1

  802.1Q VLAN ID Name         Status       Voice
  -------------- ------------ ------------ -----
  200            fail         Port-based   No

maybe you havent enabled 8021x in windows? I hope this helps to you man.

You need to add the following command:

aaa port-access authenticator 10 auth-vid 150

This would tell the switch that port 10 will use the auth-vid assigned VLAN for authenticated devices unless it gets a different value from RADIUS. Without this, it will just use the configured port value and ignore any RADIUS provided VLAN assignments.

I did some digging and found this tidbit in one of my saved HP docs:

If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because both VLANs are untagged, and the switch allows only one untagged VLAN membership per-port. For example, suppose you configured port 4 to place authenticated suppli- cants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 for the duration of the client session. When the client disconnects from the port, then the port drops these assignments and uses only the VLAN memberships for which it is statically configured.

Wow, I would have never though of this one. It was just a random solution.

So, the problem was with authorize section in my default site configuration at /etc/raddb/sites-enabled/default, it was kind of default. I don't really know what's up with that (if you, guys, know, comment on that, please), gonna do some research on that; here it is:

eap {
    ok = return
}

I commented this out and replaced with just:

eap

I was not hoping any more to ever get it working and then I reconnected and... it happened, just randomly and I'm so excited now! I got assigned a VLAN dynamically:

Debug:

0001:03:15:51.07 RAD  mRadiusCtr:ACCESS REQUEST id: 194 to 192.168.1.27,
   session: 56, access method: PORT-ACCESS, User-Name: dot1x,
   Calling-Station-Id: dead00-00beef, NAS-Port-Id: 10, NAS-IP-Address:
   192.168.100.17.
0001:03:15:51.10 RAD  tRadiusR:ACCESS ACCEPT id: 194 from 192.168.1.27 received.
0001:03:15:51.10 1X   m8021xCtrl:Port 10: received Success for client
   dead00-00beef, finished authentication session.
0001:03:15:51.10 1X   m8021xCtrl:Port: 10 MAC: dead00-00beef RADIUS Attributes,
   vid: 100.
0001:03:15:51.10 1X   m8021xCtrl:Port 10: starting session for client
   dead00-00beef.

SW # show port-access authenticator 10 vlan - still shows Unauthorized VLAN 200 and Authorized VLAN 150

Port Access Authenticator VLAN Configuration

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

       Access  Unauth  Auth
  Port Control VLAN ID VLAN ID
  ---- ------- ------- -------
  10   Auto    200     150

SW # show vlans ports 10 detail - And the untagged VLAN on port 10 got set to VLAN 100

 Status and Counters - VLAN Information - for ports 10

  VLAN ID Name                 | Status     Voice Jumbo Mode
  ------- -------------------- + ---------- ----- ----- --------
  100     VLAN100              | Port-based No    No    Untagged

SW # show port-access authenticator

  Port Access Authenticator Status

  Port-access authenticator activated [No] : Yes
  Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No

       Auths/  Unauth  Untagged Tagged           % In  RADIUS Cntrl
  Port Guests  Clients VLAN     VLANs  Port COS  Limit ACL    Dir
  ---- ------- ------- -------- ------ --------- ----- ------ -----
  10   1/0     0       100      No     No        No    No     both

Also, if you want it to work, you have to create all required VLANs on the switch, otherwise you'll get this kind of stuff:

W 09/12/14 12:47:57 02400 dca: 8021X client, RADIUS-assigned VID validation
            error. MAC DEAD0000BEEF port 10 VLAN-Id 0 or unknown.

and the Windows will just say: Authentication failed which is kind of confusing too.

Didn't quite get it to work with unknown VLANs in spite of the fact GVRP was enabled, aaa port-access gvrp-vlans was set and I also explicitly set unknown-vlans learn on interface 10, but oh well...nvm.

Related Articles

  • Regarding Dot1X dynamic VLAN assignmentAugust 28

    Situation: I am trying to get 802.1X working for me. I want RADIUS server to dynamically assign VLANs to ports based on RADIUS reply attribute for particular user. I have an HP E2620 switch and a FreeRADIUS server. The supplicant is a Windows 8.1 mac

  • Need help getting Dynamic VLAN Assignment working with RADIUS and Dell PowerConnect 3524September 5

    I'm attempting to get Dynamic VLAN Assignment working on a number of Dell PowerConnect 3524 switches. I've got a two RADIUS servers, both of which I've proved to be working using radtest on Linux. One of the servers (Priority 0) is hosted on the netw

  • How do I setup dynamic VLAN assignment on an autonomous Cisco 1142n?September 26

    I've gotten my Cisco 1142n autonomous AP configured with every option under the sun, but I still can't get dynamic VLAN assignment working! I verified the following: I give priority to VLAN assignment via RADIUS with aaa authorization network default

  • Wireless (Ruckus) and Dynamic VLAN Assignment via Microsoft NPSOctober 11

    Our current 802.11 setup has a large number of SSIDs to segregate traffic by subnet. This isn't ideal, and I've been attempting to consolidate to a single SSID but use dynamic VLANs instead. This is on a Ruckus Zonedirector 3000 and Microsoft NPS as

  • 802.1x dynamic vlan assignment not assigning VLANMay 12

    I recently dived into 802.1x authentication with dynamic vlan assigment. My current set up contains of: - A client - A SG220 cisco switch (the supplicant) - A freeradius (authenticator) based on an LDAP AD - A fortigate for firewall purposes and acti

  • Freeradius on Linux with dynamic VLAN assignment via ADFebruary 7

    I've been trying to configure my freeradius server on Linux to authenticate users from an existing Active Directory (windows server 2003) and i've already done that. Now i need to assign VLANs to those users and i dont know how to :(. The logical pro

  • Radius NAC with 802.1x on Cisco WLC doesn't assign correct dynamic VLAN ID October 30

    I'm implementing a NAC solution in my company, but I have come to dead end. My setup: Cisco WLC + MS based Radius server integrated with AD. The idea is to have 4 VLANs. Everything works as it should with the wired network but not using the Cisco WLC

  • Subnet-based VLAN assignment on CiscoAugust 21

    Is it possible to assign a switch port to a VLAN based on the fact that the host IP address is on a certain subnet? I have found the following references from HP and Netgear, but I have been unable to find any such functionality for Cisco. Please not

  • How to Change a VLAN Assignement for an Interface on a Cisco 3750November 10

    I'm having some trouble trying to figure out how to Change a VLAN Assignement for an Interface on a Cisco 3750. I want to change: ! interface GigabitEthernet1/0/3 switchport access vlan 2 switchport mode access spanning-tree portfast ! Into: ! interf

  • Radius VLAN assignmentAugust 24

    Hello to all, I have just start working with Ciitix-wifi. Can someone tell me if with CIITIX-WIFI is possible to do RADIUS-based VLAN assignment, when users authenticate? It appears not but... With some patch... I do no know... Thanks in advanced Bes

  • How to install and configure Dynamic VLAN Server?March 13

    I have below setup: Firewall: Fortinet 240D Core Switches are 2 one is Juniper EX 4200 & second one is EX 3300 I want to configure Dynamic VLAN Server on Ubuntu Linux 12.04.3 Kernel and CPU: Linux 3.8.0-32-generic on i686 I have confirmed with Junnip

  • Dynamic VLANs with FreeRadius, OpenLDAP & Cisco WLCAugust 13

    Currently have a FreeRADIUS 1.1.6 server authenticating users from OpenLDAP which are stored in the posixAccount account schema. We've now installed a Cisco WLC, and want to authenticate those users over 802.1X (which is successfully working), but al

  • Cisco ASA 5505: switchport VLAN assignmentNovember 2

    Kind of a Cisco Luddite, but I'd like to assign physical switchports 0/1 and 0/2 to Vlan2 and physical switchports 0/3 and 0/4 to Vlan3. I'm assuming this is possible with base security license, i.e.: ! interface Vlan1 nameif outside security-level 0

  • VLAN assignment based on mac-address or RADIUS attributeOctober 30

    I'd like to know how to assign someone's client device to a different VLAN based on MAC address of that device.What kind of hardware/software would make this solution possible (if possible at all)? Would it be possbible to achieve the same using RADI

  • VLAN assignment philosophy

    VLAN assignment philosophySeptember 3

    I have several Layer 3 switch/routers which are all connected via an OSPF routed network. Also attached to each switch are two other networks. I have to assign a VLAN to each of these networks, I figure that I can just reuse the same two VLANS on eac

  • MikroTik and HP devices - Dynamic VLAN

    MikroTik and HP devices - Dynamic VLANApril 6

    QUESTIONS: Is is possible to do this using MikroTIk CloudCore1036 with all my assumptions ? Do I need Radius to done this ? At above picture You can see part of my network scheme. Main router based on Mikrotik CloudCore1036 within one bridge and HP s

  • Dynamic IP assignment in theory July 25

    This question already has an answer here: If router is off for a few days, do you have an ip address as far as ISP is concerned? 1 answer If I turn my router off for 24 hours or more I am always assigned a new dynamic IP address once I turn it on aga

  • Create dynamic variable assignment inside $.post - JQueryFebruary 2

    Could i use dynamic variable inside my $.post JQuery/Ajax code? I would like to know where i am making mistakes or i am misunderstood the useage of $.post of JQuery. I have dynamically created variables and value assigned to it from text-fields. Now

  • Adding Dynamic Approval Assignment Selection to a WorkflowJune 6

    This one might be a tad tricky with just SPD, but my hands are tied in terms of what I can/cannot use. I've got to go and add the ability for a supervisor to go in on a workflow and say "These groups in this order" need to approve and comment on

  • Call a specific javascript function dynamically and assign textFieldsFebruary 8

    (Title doesn't describe my problem correctly. Sorry) I have a table in saveSearch.php and when user clicks 'view icon', I am getting the corresponding ID of the information and passing it to tagViewSearch.php <td><center><a href="tagVi

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.431 s.