Tyson,
Thanks for looking into this! I tried the slight variation below and it
also works.
tunnel-type=VLAN(13)
tunnel-medium-type=ALL_802 (6)
tunnel-private-group-id=200
*Mar 18 06:41:21.155: RADIUS: Message-Authenticato[80] 18
*Mar 18 06:41:21.155: RADIUS: 8F 54 5E 39 55 CF A8 40 BD A0 5B A6 46 83 8E A8
[ t...@[f]
*Mar 18 06:41:21.155: RADIUS: Vendor, Cisco [26] 49
*Mar 18 06:41:21.155: RADIUS: Cisco AVpair [1] 43
"audit-session-id=0A1414040000004358FB2B3C"
*Mar 18 06:41:21.155: RADIUS: NAS-Port
SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15]
*Mar 18 06:41:21.155: RADIUS: NAS-Port [5] 6 50018
*Mar 18 06:41:21.155: RADIUS: NAS-Port-Id [87] 21
"GigabitEthernet0/18"
*Mar 18 06:41:21.155: RADIUS: State [24] 27
*Mar 18 06:41:21.164: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 37 38 35 2E 31 3B
[EAP=0.201.785.1;]
*Mar 18 06:41:21.164: RADIUS: 53 56 43 3D 30 2E 32 31 3B [ SVC=0.21;]
*Mar 18 06:41:21.164: RADIUS: NAS-IP-A
SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4
*Mar 18 06:41:21.180: RADIUS: Received from id 1645/92 10.20.20.101:1812,
Access-Accept, len 179
*Mar 18 06:41:21.180: RADIUS: authenticator 28 9F 53 42 F0 63 EC EF - 80 CF B6
B7 E2 E2 8D 88
*Mar 18 06:41:21.180: RADIUS: Vendor, Cisco [26] 28
*Mar 18 06:41:21.180: RADIUS: Cisco AVpair [1] 22
"tunnel-type=VLAN(13)"
*Mar 18 06:41:21.180: RADIUS: Vendor, Cisco [26] 38
*Mar 18 06:41:21.180: RADIUS: Cisco AVpair [1]
SEC-CAT4(config-if)# 32 "tunnel-medium-type=ALL_802 (6)"
*Mar 18 06:41:21.180: RADIUS: Vendor, Cisco [26] 35
*Mar 18 06:41:21.180: RADIUS: Cisco AVpair [1] 29
"tunnel-private-group-id=200"
*Mar 18 06:41:21.180: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Mar 18 06:41:21.180: RADIUS: EAP-Message [79] 6
*Mar 18 06:41:21.180: RADIUS: 03 25 00 04 [ ?]
*Mar 18 06:41:21.180: RADIUS: Class [25] 28
*Mar 18 06:41:21.180: RADIUS: 43 4
SEC-CAT4(config-if)#1 43 53 3A 30 2F 33 35 35 61 36 2F 61 31 34
[CACS:0/355a6/a14]
*Mar 18 06:41:21.180: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [
1404/50018]
*Mar 18 06:41:21.180: RADIUS: Message-Authenticato[80] 18
*Mar 18 06:41:21.180: RADIUS: F6 8F 07 1C CB B6 73 6E 6E 62 08 52 A7 23 75 2E
[ snnbR#u.]
*Mar 18 06:41:21.180: RADIUS(00000046): Received from id 1645/92
*Mar 18 06:41:21.180: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 18 06:41:21.180: dot1x-packet(Gi0/18): Received
SEC-CAT4(config-if)#an EAP Success
*Mar 18 06:41:21.180: %DOT1X-5-SUCCESS: Authentication successful for client
(0008.7492.2c0e) on Interface Gi0/18
*Mar 18 06:41:21.180: dot1x-ev(Gi0/18): Sending event (2) to Auth Mgr for
0008.7492.2c0e
However, the pushback of the vlan assignment for the client is not working. Can
you check it out in your environment?
Thanks!
Dave
-----Original Message-----
From: Tyson Scott [mailto:[email protected]]
Sent: Friday, January 29, 2010 8:47 PM
To: Mack, David A (Dave)
Cc: Stuart Hare; [email protected]
Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config
Dave,
After further testing the following is what you need.
tunnel-type=VLAN (13)
tunnel-medium-type=ALL_802 (6)
tunnel-private-group-id=10
On Fri, Jan 29, 2010 at 2:50 PM, Tyson Scott <[email protected]> wrote:
> Dave,
>
> You can see that from the Debug output it says
>
> parse unknown cisco vsa "cisco-avpair". The box that is created in
> the user account already has that attribute set. So it is kindof like
> you are saying
>
> cisco-avpair=cisco-avpair=tunnel-type(#64)=VLAN(13)
>
> That is why it doesn't understand it.
>
> On Fri, Jan 29, 2010 at 2:46 PM, Tyson Scott <[email protected]> wrote:
>> Dave,
>>
>> You need to remove
>> cisco-avpair=
>>
>> In ACS put
>> tunnel-type(#64)=VLAN(13)
>> tunnel-medium-type(#65)=802 media(6)
>> tunnel-private-group-ID(#81)=200
>>
>> Not
>> cisco-avpair=tunnel-type(#64)=VLAN(13)
>> cisco-avpair=tunnel-medium-type(#65)=802 media(6)
>> cisco-avpair=tunnel-private-group-ID(#81)=200
>>
>> You only put cisco-avpair= when you are working with Unix based ACS.
>>
>> On Fri, Jan 29, 2010 at 2:22 PM, Mack, David A (Dave) <[email protected]>
>> wrote:
>>> Stu,
>>>
>>> If by changing my client, you mean going to the Network
>>> Configuration section of the ACS and then setting the "Authenticate Using"
>>> drop down to "RADIUS (Cisco IOS/PIX 6.0)", then yes I did that. As for the
>>> switch itself, I have the basics:
>>>
>>>
>>>
>>> aaa new-model
>>>
>>> aaa authentication dot1x default group radius
>>>
>>> aaa authorization network default group radius
>>>
>>> aaa session-id common
>>>
>>> radius-server host 10.20.20.101 auth-port 1812 acct-port 1813
>>>
>>> radius-server key cisco123!
>>>
>>>
>>>
>>> In addition I have this:
>>>
>>> radius-server vsa send authentication
>>>
>>>
>>>
>>>
>>>
>>> What else is there to set?
>>>
>>>
>>>
>>> Thanks!
>>> Dave
>>>
>>> From: Stuart Hare [mailto:[email protected]]
>>> Sent: Friday, January 29, 2010 2:11 PM
>>> To: Mack, David A (Dave)
>>> Cc: [email protected]
>>> Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config
>>>
>>>
>>>
>>> Dave,
>>>
>>>
>>>
>>> Im not familiar with Yusuf's lab book, but you say it worked with IETF
>>> attributes but not with Cisco AV Pairs.
>>>
>>> When you changed to AV Pairs, did you also change the AAA Client
>>> Authentication method?
>>>
>>> For instance I take it for the IETF to work you had your AAA client cfg'd
>>> for RADIUS (IETF), did you try changing the client to RADIUS(Cisco IOS/PIX)?
>>>
>>>
>>>
>>> Stu
>>>
>>> On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave) <[email protected]>
>>> wrote:
>>>
>>> Hello All!
>>> This is follow-on to me earlier dot1x question. Here is the
>>> situation:
>>>
>>> I have a Windows XP client connected to Cat 3650 and a configured ACS
>>> server. With the Cat configured as RAIDUS IETF client in the ACS, I can
>>> authenticate the XP PC and get the VLAN pushed back to the Cat. All
>>> works fine. So now I want to try setting the Cat to be a RADIUS (Cisco
>>> IOS/PIX 6.x) client in the ACS. I would expect to have to use the
>>> configuration Yusuf shows in his book on pages 339-341. Now here is
>>> where the problem starts. First, if you look at his debug output you see
>>> that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed
>>> back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why
>>> are both methods used?? I tried used using just the IETF values and it
>>> works just fine. So why use the Cisco AV-PAIRS? Now If try to add the
>>> AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not
>>> recognize them:
>>>
>>>
>>> *Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18
>>> *Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74
>>> E7 53 F5 [ xJbE5tS]
>>> *Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49
>>> *Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43
>>> "audit-session-id=0A1414040000003F5767FE11"
>>> *Mar 17 23:21:18.222: RADIUS: NAS-Port
>>> SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15]
>>> *Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018
>>>
>>> *Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21
>>> "GigabitEthernet0/18"
>>> *Mar 17 23:21:18.222: RADIUS: State [24] 27
>>> *Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37
>>> 2E 31 3B [EAP=0.201.497.1;]
>>> *Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [
>>> SVC=0.1d;]
>>> *Mar 17 23:21:18.222: RADIUS: NAS-IP-A
>>> SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4
>>> *Mar 17 23:21:18.247: RADIUS: Received from id 1645/84
>>> 10.20.20.101:1812, Access-Accept, len 243
>>> *Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 -
>>> 88 91 01 F4 39 14 79 24
>>>
>>> Note that the AV-PAIRS below appear exactly as they do on page 341
>>>
>>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49
>>> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43
>>> "cisco-avpair= "tunnel-type(#64)=VLAN(13)""
>>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60
>>> *Mar 17 23:21:18.247: RADIUS: Cis
>>> SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair=
>>> "tunnel-medium-type(#65)=802 media(6)""
>>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56
>>> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50
>>> "cisco-avpair= "tunnel-private-group-ID(#81)=200""
>>> *Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6
>>> 255.255.255.255
>>> *Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6
>>> *Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !]
>>> *Mar 17 23:21:18.247: RADIUS: Clas
>>> SEC-CAT4(config-if)#s [25] 28
>>> *Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F
>>> 61 31 34 [CACS:0/3542d/a14]
>>> *Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [
>>> 1404/50018]
>>> *Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18
>>> *Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8
>>> C6 74 5D [ 1x6st]]
>>> *Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84
>>>
>>> But, the switch does not know what do with them...
>>>
>>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco
>>> <======================
>>> SEC-CAT4(config-if)#-avpair" - IGNORE
>>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
>>> "cisco-avpair" - IGNORE <======================
>>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
>>> "cisco-avpair" - IGNORE <======================
>>> *Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4
>>> bytes
>>> *Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success
>>> *Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for
>>> client (0008.7492.2c0e) on Interface Gi0/18
>>> *Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2)
>>> SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e
>>> *Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success'
>>> from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1
>>>
>>> Has anyone got this to work?? What is the "Secret Sauce"?
>>>
>>> Thanks!
>>> Dave
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Stuart Hare
>>> CCIE #25616 (Security), CCSP, Microsoft MCP
>>> Sr. Support Engineer - IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>
>>
>>
>> --
>> Tyson Scott - CCIE #13513 R&S and Security
>> Technical Instructor - IPexpert, Inc.
>>
>> Telephone: +1.810.326.1444
>> Fax: +1.810.454.0130
>> Mailto: [email protected]
>>
>> Join our free online support and peer group communities:
>> http://www.IPexpert.com/communities
>>
>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
>> Demand and Audio Certification Training Tools for the Cisco CCIE R&S
>> Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
>> CCIE Storage Lab Certifications.
>>
>
>
>
> --
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: [email protected]
>
> Join our free online support and peer group communities:
> http://www.IPexpert.com/communities
>
> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
> Demand and Audio Certification Training Tools for the Cisco CCIE R&S
> Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
> CCIE Storage Lab Certifications.
>
--
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: [email protected]
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
Demand and Audio Certification Training Tools for the Cisco CCIE R&S
Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
CCIE Storage Lab Certifications.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
