David,
I am not sure what you mean by pushback? When I checked it did assign
the VLAN to the port.
Cat3#show dot1x int f0/15 det | begin Cl
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 000c.2996.0fac
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 944
Authentication Method = Dot1x
Authorized By = Authentication Server
Vlan Policy = 10
Cat3#
On Fri, Jan 29, 2010 at 11:16 PM, Mack, David A (Dave)
<[email protected]> wrote:
> Tyson,
> Thanks for looking into this! I tried the slight variation below and
> it also works.
>
> tunnel-type=VLAN(13)
> tunnel-medium-type=ALL_802 (6)
> tunnel-private-group-id=200
>
>
> *Mar 18 06:41:21.155: RADIUS: Message-Authenticato[80] 18
> *Mar 18 06:41:21.155: RADIUS: 8F 54 5E 39 55 CF A8 40 BD A0 5B A6 46 83 8E
> A8 [ t...@[f]
> *Mar 18 06:41:21.155: RADIUS: Vendor, Cisco [26] 49
> *Mar 18 06:41:21.155: RADIUS: Cisco AVpair [1] 43
> "audit-session-id=0A1414040000004358FB2B3C"
> *Mar 18 06:41:21.155: RADIUS: NAS-Port
> SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15]
> *Mar 18 06:41:21.155: RADIUS: NAS-Port [5] 6 50018
> *Mar 18 06:41:21.155: RADIUS: NAS-Port-Id [87] 21
> "GigabitEthernet0/18"
> *Mar 18 06:41:21.155: RADIUS: State [24] 27
> *Mar 18 06:41:21.164: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 37 38 35 2E 31
> 3B [EAP=0.201.785.1;]
> *Mar 18 06:41:21.164: RADIUS: 53 56 43 3D 30 2E 32 31 3B [
> SVC=0.21;]
> *Mar 18 06:41:21.164: RADIUS: NAS-IP-A
> SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4
> *Mar 18 06:41:21.180: RADIUS: Received from id 1645/92 10.20.20.101:1812,
> Access-Accept, len 179
> *Mar 18 06:41:21.180: RADIUS: authenticator 28 9F 53 42 F0 63 EC EF - 80 CF
> B6 B7 E2 E2 8D 88
> *Mar 18 06:41:21.180: RADIUS: Vendor, Cisco [26] 28
> *Mar 18 06:41:21.180: RADIUS: Cisco AVpair [1] 22
> "tunnel-type=VLAN(13)"
> *Mar 18 06:41:21.180: RADIUS: Vendor, Cisco [26] 38
> *Mar 18 06:41:21.180: RADIUS: Cisco AVpair [1]
> SEC-CAT4(config-if)# 32 "tunnel-medium-type=ALL_802 (6)"
> *Mar 18 06:41:21.180: RADIUS: Vendor, Cisco [26] 35
> *Mar 18 06:41:21.180: RADIUS: Cisco AVpair [1] 29
> "tunnel-private-group-id=200"
> *Mar 18 06:41:21.180: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
> *Mar 18 06:41:21.180: RADIUS: EAP-Message [79] 6
> *Mar 18 06:41:21.180: RADIUS: 03 25 00 04 [ ?]
> *Mar 18 06:41:21.180: RADIUS: Class [25] 28
> *Mar 18 06:41:21.180: RADIUS: 43 4
> SEC-CAT4(config-if)#1 43 53 3A 30 2F 33 35 35 61 36 2F 61 31 34
> [CACS:0/355a6/a14]
> *Mar 18 06:41:21.180: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [
> 1404/50018]
> *Mar 18 06:41:21.180: RADIUS: Message-Authenticato[80] 18
> *Mar 18 06:41:21.180: RADIUS: F6 8F 07 1C CB B6 73 6E 6E 62 08 52 A7 23 75
> 2E [ snnbR#u.]
> *Mar 18 06:41:21.180: RADIUS(00000046): Received from id 1645/92
> *Mar 18 06:41:21.180: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
> *Mar 18 06:41:21.180: dot1x-packet(Gi0/18): Received
> SEC-CAT4(config-if)#an EAP Success
> *Mar 18 06:41:21.180: %DOT1X-5-SUCCESS: Authentication successful for client
> (0008.7492.2c0e) on Interface Gi0/18
> *Mar 18 06:41:21.180: dot1x-ev(Gi0/18): Sending event (2) to Auth Mgr for
> 0008.7492.2c0e
>
> However, the pushback of the vlan assignment for the client is not working.
> Can you check it out in your environment?
>
> Thanks!
> Dave
> -----Original Message-----
> From: Tyson Scott [mailto:[email protected]]
> Sent: Friday, January 29, 2010 8:47 PM
> To: Mack, David A (Dave)
> Cc: Stuart Hare; [email protected]
> Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config
>
> Dave,
>
> After further testing the following is what you need.
>
> tunnel-type=VLAN (13)
> tunnel-medium-type=ALL_802 (6)
> tunnel-private-group-id=10
>
>
> On Fri, Jan 29, 2010 at 2:50 PM, Tyson Scott <[email protected]> wrote:
>> Dave,
>>
>> You can see that from the Debug output it says
>>
>> parse unknown cisco vsa "cisco-avpair". The box that is created in
>> the user account already has that attribute set. So it is kindof like
>> you are saying
>>
>> cisco-avpair=cisco-avpair=tunnel-type(#64)=VLAN(13)
>>
>> That is why it doesn't understand it.
>>
>> On Fri, Jan 29, 2010 at 2:46 PM, Tyson Scott <[email protected]> wrote:
>>> Dave,
>>>
>>> You need to remove
>>> cisco-avpair=
>>>
>>> In ACS put
>>> tunnel-type(#64)=VLAN(13)
>>> tunnel-medium-type(#65)=802 media(6)
>>> tunnel-private-group-ID(#81)=200
>>>
>>> Not
>>> cisco-avpair=tunnel-type(#64)=VLAN(13)
>>> cisco-avpair=tunnel-medium-type(#65)=802 media(6)
>>> cisco-avpair=tunnel-private-group-ID(#81)=200
>>>
>>> You only put cisco-avpair= when you are working with Unix based ACS.
>>>
>>> On Fri, Jan 29, 2010 at 2:22 PM, Mack, David A (Dave) <[email protected]>
>>> wrote:
>>>> Stu,
>>>>
>>>> If by changing my client, you mean going to the Network
>>>> Configuration section of the ACS and then setting the "Authenticate Using"
>>>> drop down to "RADIUS (Cisco IOS/PIX 6.0)", then yes I did that. As for the
>>>> switch itself, I have the basics:
>>>>
>>>>
>>>>
>>>> aaa new-model
>>>>
>>>> aaa authentication dot1x default group radius
>>>>
>>>> aaa authorization network default group radius
>>>>
>>>> aaa session-id common
>>>>
>>>> radius-server host 10.20.20.101 auth-port 1812 acct-port 1813
>>>>
>>>> radius-server key cisco123!
>>>>
>>>>
>>>>
>>>> In addition I have this:
>>>>
>>>> radius-server vsa send authentication
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> What else is there to set?
>>>>
>>>>
>>>>
>>>> Thanks!
>>>> Dave
>>>>
>>>> From: Stuart Hare [mailto:[email protected]]
>>>> Sent: Friday, January 29, 2010 2:11 PM
>>>> To: Mack, David A (Dave)
>>>> Cc: [email protected]
>>>> Subject: Re: [OSL | CCIE_Security] Dot1X Radius Config
>>>>
>>>>
>>>>
>>>> Dave,
>>>>
>>>>
>>>>
>>>> Im not familiar with Yusuf's lab book, but you say it worked with IETF
>>>> attributes but not with Cisco AV Pairs.
>>>>
>>>> When you changed to AV Pairs, did you also change the AAA Client
>>>> Authentication method?
>>>>
>>>> For instance I take it for the IETF to work you had your AAA client cfg'd
>>>> for RADIUS (IETF), did you try changing the client to RADIUS(Cisco
>>>> IOS/PIX)?
>>>>
>>>>
>>>>
>>>> Stu
>>>>
>>>> On Fri, Jan 29, 2010 at 6:54 PM, Mack, David A (Dave) <[email protected]>
>>>> wrote:
>>>>
>>>> Hello All!
>>>> This is follow-on to me earlier dot1x question. Here is the
>>>> situation:
>>>>
>>>> I have a Windows XP client connected to Cat 3650 and a configured ACS
>>>> server. With the Cat configured as RAIDUS IETF client in the ACS, I can
>>>> authenticate the XP PC and get the VLAN pushed back to the Cat. All
>>>> works fine. So now I want to try setting the Cat to be a RADIUS (Cisco
>>>> IOS/PIX 6.x) client in the ACS. I would expect to have to use the
>>>> configuration Yusuf shows in his book on pages 339-341. Now here is
>>>> where the problem starts. First, if you look at his debug output you see
>>>> that Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group are pushed
>>>> back from ACS as BOTH Cisco AV-PAIRs and as IETF RADIUS attributes. Why
>>>> are both methods used?? I tried used using just the IETF values and it
>>>> works just fine. So why use the Cisco AV-PAIRS? Now If try to add the
>>>> AV-PAIRS to the ACS, entered exactly as figure 11-8, the Switch does not
>>>> recognize them:
>>>>
>>>>
>>>> *Mar 17 23:21:18.222: RADIUS: Message-Authenticato[80] 18
>>>> *Mar 17 23:21:18.222: RADIUS: 16 DF 78 4A FF DD 02 62 E2 45 CA 35 74
>>>> E7 53 F5 [ xJbE5tS]
>>>> *Mar 17 23:21:18.222: RADIUS: Vendor, Cisco [26] 49
>>>> *Mar 17 23:21:18.222: RADIUS: Cisco AVpair [1] 43
>>>> "audit-session-id=0A1414040000003F5767FE11"
>>>> *Mar 17 23:21:18.222: RADIUS: NAS-Port
>>>> SEC-CAT4(config-if)#-Type [61] 6 Ethernet [15]
>>>> *Mar 17 23:21:18.222: RADIUS: NAS-Port [5] 6 50018
>>>>
>>>> *Mar 17 23:21:18.222: RADIUS: NAS-Port-Id [87] 21
>>>> "GigabitEthernet0/18"
>>>> *Mar 17 23:21:18.222: RADIUS: State [24] 27
>>>> *Mar 17 23:21:18.222: RADIUS: 45 41 50 3D 30 2E 32 30 31 2E 34 39 37
>>>> 2E 31 3B [EAP=0.201.497.1;]
>>>> *Mar 17 23:21:18.222: RADIUS: 53 56 43 3D 30 2E 31 64 3B [
>>>> SVC=0.1d;]
>>>> *Mar 17 23:21:18.222: RADIUS: NAS-IP-A
>>>> SEC-CAT4(config-if)#ddress [4] 6 10.20.20.4
>>>> *Mar 17 23:21:18.247: RADIUS: Received from id 1645/84
>>>> 10.20.20.101:1812, Access-Accept, len 243
>>>> *Mar 17 23:21:18.247: RADIUS: authenticator 34 14 2D BA 5D 79 93 70 -
>>>> 88 91 01 F4 39 14 79 24
>>>>
>>>> Note that the AV-PAIRS below appear exactly as they do on page 341
>>>>
>>>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 49
>>>> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 43
>>>> "cisco-avpair= "tunnel-type(#64)=VLAN(13)""
>>>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 60
>>>> *Mar 17 23:21:18.247: RADIUS: Cis
>>>> SEC-CAT4(config-if)#co AVpair [1] 54 "cisco-avpair=
>>>> "tunnel-medium-type(#65)=802 media(6)""
>>>> *Mar 17 23:21:18.247: RADIUS: Vendor, Cisco [26] 56
>>>> *Mar 17 23:21:18.247: RADIUS: Cisco AVpair [1] 50
>>>> "cisco-avpair= "tunnel-private-group-ID(#81)=200""
>>>> *Mar 17 23:21:18.247: RADIUS: Framed-IP-Address [8] 6
>>>> 255.255.255.255
>>>> *Mar 17 23:21:18.247: RADIUS: EAP-Message [79] 6
>>>> *Mar 17 23:21:18.247: RADIUS: 03 21 00 04 [ !]
>>>> *Mar 17 23:21:18.247: RADIUS: Clas
>>>> SEC-CAT4(config-if)#s [25] 28
>>>> *Mar 17 23:21:18.247: RADIUS: 43 41 43 53 3A 30 2F 33 35 34 32 64 2F
>>>> 61 31 34 [CACS:0/3542d/a14]
>>>> *Mar 17 23:21:18.247: RADIUS: 31 34 30 34 2F 35 30 30 31 38 [
>>>> 1404/50018]
>>>> *Mar 17 23:21:18.247: RADIUS: Message-Authenticato[80] 18
>>>> *Mar 17 23:21:18.247: RADIUS: 31 CE 78 F1 01 A9 A8 DB EA 36 73 A2 A8
>>>> C6 74 5D [ 1x6st]]
>>>> *Mar 17 23:21:18.247: RADIUS(00000042): Received from id 1645/84
>>>>
>>>> But, the switch does not know what do with them...
>>>>
>>>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa "cisco
>>>> <======================
>>>> SEC-CAT4(config-if)#-avpair" - IGNORE
>>>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
>>>> "cisco-avpair" - IGNORE <======================
>>>> *Mar 17 23:21:18.247: RADIUS/DECODE: parse unknown cisco vsa
>>>> "cisco-avpair" - IGNORE <======================
>>>> *Mar 17 23:21:18.247: RADIUS/DECODE: EAP-Message fragments, 4, total 4
>>>> bytes
>>>> *Mar 17 23:21:18.256: dot1x-packet(Gi0/18): Received an EAP Success
>>>> *Mar 17 23:21:18.256: %DOT1X-5-SUCCESS: Authentication successful for
>>>> client (0008.7492.2c0e) on Interface Gi0/18
>>>> *Mar 17 23:21:18.256: dot1x-ev(Gi0/18): Sending event (2)
>>>> SEC-CAT4(config-if)#to Auth Mgr for 0008.7492.2c0e
>>>> *Mar 17 23:21:18.256: %AUTHMGR-7-RESULT: Authentication result 'success'
>>>> from 'dot1x' for client (0008.7492.2c0e) on Interface Gi0/1
>>>>
>>>> Has anyone got this to work?? What is the "Secret Sauce"?
>>>>
>>>> Thanks!
>>>> Dave
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training, please
>>>> visit www.ipexpert.com
>>>>
>>>>
>>>> --
>>>> Regards,
>>>>
>>>> Stuart Hare
>>>> CCIE #25616 (Security), CCSP, Microsoft MCP
>>>> Sr. Support Engineer - IPexpert, Inc.
>>>> URL: http://www.IPexpert.com
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training, please
>>>> visit www.ipexpert.com
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Tyson Scott - CCIE #13513 R&S and Security
>>> Technical Instructor - IPexpert, Inc.
>>>
>>> Telephone: +1.810.326.1444
>>> Fax: +1.810.454.0130
>>> Mailto: [email protected]
>>>
>>> Join our free online support and peer group communities:
>>> http://www.IPexpert.com/communities
>>>
>>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
>>> Demand and Audio Certification Training Tools for the Cisco CCIE R&S
>>> Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
>>> CCIE Storage Lab Certifications.
>>>
>>
>>
>>
>> --
>> Tyson Scott - CCIE #13513 R&S and Security
>> Technical Instructor - IPexpert, Inc.
>>
>> Telephone: +1.810.326.1444
>> Fax: +1.810.454.0130
>> Mailto: [email protected]
>>
>> Join our free online support and peer group communities:
>> http://www.IPexpert.com/communities
>>
>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
>> Demand and Audio Certification Training Tools for the Cisco CCIE R&S
>> Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
>> CCIE Storage Lab Certifications.
>>
>
>
>
> --
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: [email protected]
>
> Join our free online support and peer group communities:
> http://www.IPexpert.com/communities
>
> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
> Demand and Audio Certification Training Tools for the Cisco CCIE R&S
> Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
> CCIE Storage Lab Certifications.
>
--
Tyson Scott - CCIE #13513 R&S and Security
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: [email protected]
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
Demand and Audio Certification Training Tools for the Cisco CCIE R&S
Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
CCIE Storage Lab Certifications.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
