RADIUS-assigned VLAN on Catalyst 2960G
I have a few switches 2960G that I acquired recently, and I'm trying to get them to authenticate with a RADIUS server, which I am running. The authentication process works fine, but if the RADIUS server sends attributes of tag which VLAN to use, port remains a member of the VLAN has the value (with "switchport access vlan...") »). I can put the VLAN invited and didn't not manually, but what I really want to, it's that the RADIUS server send attributes VLAN depending on what user name or machine authenticates.
Looking through the documentation I see anything that mentions expressly, if I'm afraid, that I bought the wrong model. Does anyone else know?
I found this reference to assignments of RADIUS / VLAN in the documentation here. Have you seen/tried this reference again (page 31 of the doc)?
Tags: Cisco Support
Similar Questions
-
Assignment of VLANS on catalyst express 520
Hello
I ache to configure a switch to catalyst Express 520-8PC. Could it, it is not possible to assign different VLAN than '1' in access to this switch ports? I hope it is possible and I have just found this option again. If this is the case, can we please refernce to some white paper or a guide (or simply explain how and where it should be done)?
I tried either on the web-fronend and CCA/NAC (unfortunately it isn't all cli support) and not found anywhere in the configuration.
with greetings
Nico Schmidt
Hello
According to the data sheet, the 500 series supporsts VLAN up to 32.
Here is the link on how to add/remove a VLAN:
HTH
-
ISE 1.4 - assignment VLAN dynamic based on originating nad
Hi all
Implemented ISE for a couple of weeks and with the VLAN being assigned with various different authorization profiles.
Problem I have now if I have a set of devices that I have in the world that I want to put the VLAN on but the VLAN is different at each place, is there a way to create a rule for example if it is a 'projector' and he origin of the "switch-1 ' set the VLAN 10 ', but if it comes of" switch-2' set of the VLAN 200 '.»»
Is this possible? I would have thought it is met with something else, but my research found nothing...
Cheers in advance!
This normally happens by using the name of the vlan in your authorization instead of the id profile vlan and then making sure that your vlan "projector", the same in all switches. The switch then looks in its local database vlan, to match the name ID vlan local.
-
WebVPN/RADIUS - assign to the Group - Concentrator3005
Client configuration of a Cisco Concentrator3005 using IPSEC on PC and who authenticate via radius w / ranking in a group is a breeze - more I'm not configure an individual user - and won't.
But I'm banging my head trying to configure Webvpn to authenticate via radius and assign the user to a group. The default user is always itself to the core group. I want to find a way to create a user in a group.
Everyone dealing with this before?
THX.
Robert
Robert,
First of all, you must make sure that the Radius Server is your first authentication method configured on the VPN3000, WEBVPN reads the list of servers for authentication from top to bottom and the first on the list is to be chosen, second to assign the user to a group, you must set up the value of the class on your radius server, this value must be equal to the webvpn group you must assign to the user.
-
ACS 5.2 assign VLAN based on the ad group
I am trying to configure ACS 5.2 to assign the VLAN to a dynamic user based on the group to which the user belongs. I went to:
Users and identity stores-> external identity-> Active Directory-> tab directory stores groups
and selected the name of the pub group. If I understand correctly, I should now see this group by virtue:
Elements of strategy-> authorization and permissions->-> authorization profiles for access to the network-> common tasks-> VLAN ID/name
However, it is not. Am I missing something?
N °
' VLAN id/name "is, in the name clearly States, a vlan id or name. Not a "group name".
You don't assign it a group name in the vlan.
The name of the group must go to the condition 'if' in your authorization profile. If "usergroup AD = x" and then assign this vlan.
Then the id/name vlan's you type manually what vlan refers to the users AD Group.
If you create too many rules because you have a lot of ad groups, you can do is create an AD AD attribute to store the number of vlan name and ACS will simply return that.
Nicolas
-
How to restrict Internet access by using the RADIUS server via switch Catalyst 3560
Dear all,
I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.
I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.
The RADIUS server will be having a login page to type the name of user and password.
Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.
Thanks in advance!
Samrat.
I only did this in a very long time, but you probably want to do is activate the web authentication.
-
Hello
Thank you and thank you in advance if you can help with this simple configuration
SG300, how can mode layer 3, you make 2 VLAN see each other?
In my lab at home:
Default Vlan1 (GE1: access mode) 192,168,2.254
Static VLAN10 (GE24: access mode) 192.168.10.1
Town of Port GE25: Trunk Mode directly connected to interface my router 192.168.2.1)
Vlan1 can communicate with the outside world and the internet, for example, to a different subnet: 192.168.1.0
VLAN10 is not visible from the outside and from VLAN1
How can I allow traffic from VLAN10 through the commune GE25 Port to the outside world?
The router config says: VLAN10 is diretly connected to 192.168.2.1, but I can't ping. I wonder why?
Concerning
Minh
--------------------------------------------------
VLAN #show SG300
Created by: D-default, S-Static, G-GVRP, R-radius assigned VLAN
Ports created by virtual local network name
---- ----------------- --------------------------- ----------------
1 1 article gi1-23, gi25-28, D m 1-8
10 gi24 S VLAN10
Ip #show SG300 road
Maximum parallel paths: 1 (1 after reset)
IP routing: enabled
Codes: > - best, C - connected, S - static
S 0.0.0.0/0 [1/1] via 192.168.2.1, 36:24:22, vlan 1
C 192.168.2.0/24 is directly connected, vlan 1
S 192.168.10.0/24 [1/1] via 192.168.2.1, 27:23:12, vlan 1
He had to set the default gateway on the switch to 192.168.2.1
-Tom
Please mark replied messages useful -
Assignment of VLAN dynamic by using the WC7520 controller
Hello
I use a few AP WNDAP360 for awhile and consider adding a WC7520 controller.
However, I would use an assignment VLAN dynamic using a RADIUS server.
Whereas it is possible with the 360 in stand-alone mode, it is clear to me if this can be done by using the WC7520 controller.
The (obsolete?) reference manual said not a Word to this topic...
Is there someone to share experiences with the 7520 and this type of configuration?
Hello
Thanks for your help!
After reading the articles you suggested, I was still unable to find a definitive answer, so I asked pre-sales support and quickly received the following response from Tech Support level 2:
There was a feature request to ask to implement, but it looks like it will not be implemented for the WC7520. Also, there is a feature request for the WC7600 which looks more promising, but still not possible currently and is not guaranteed to be implemented.
In short: no, it is not possible, will not be on the WC7520 and could become so on the WC7600.
Too bad, and it makes the much less interesting WC7520 for me, but at least it clearly quickly.
-
The WAP4410N 802 VLAN assignment. 1 x dynamic?
Hello
The WAP4410N does support assignment VLAN dynamic through authentication 802. 1 x?
The reason why I approach this point; I am able to configure an SSID on a WAP4410N with WPA2-Enterprise, in combination with the 802 network authentication. 1 x PEAP. I can correctly connect Windows, RT of Windows, Windows Phone, iOS and Android devices. But... I am unable to refer to VLAN another related to strategies of dial-up connection. For example; I want mobile devices such as iPhone and Windows Phone to be assigned to a VLAN specific. (Authenticator) Wireless Access Point must be able to support.
This is my setup:
Spplicants: Windows 8 / iPad...
Authenticator: WAP4410N
Authentication server: Microsoft Server NPS (Network Policy Server)
I used PEAP 802.1 x (Protected EAP) with authentication by password (domain user). In fact, the suplicants connect with 802. 1 x to the authenticator. The authenticator communicates with the RADIUS authentication server. NAP is not between the two. It's just 802. 1 x authentication.
Any suggestions or do you know the dynamic assignment of VLAN weather is supported?
Hi, Boudewijn, AFAIK, DVA is not supported on this unit. The SSID is manually configured with the PVID and it is not an option in the 802. 1 x to set any activation of DVA.
-Tom
Please evaluate the useful messages -
SG300: Cant assign aw vlan 802. 1 x + freeradius
We recently got SG300-10 and try to get the assignment of vlan dynamic works via 802.1 x and freeradius. We got it so that the client connected to the SG300 would correctly auth, IE, I see this in "see the dot1x users:
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi7 testuser 58:55:ca:24:19:d4 802.1X Remote 00:04:39
However, the client does not seem to be at all on the vlan correct or any vlan. If I change the port of "dot1x - radius attributes vlan static" to "dot1x - radius attributes vlan" then the customer cant auth at all (which is expected because it cannot retrieve the information of vlan).
The freeradius users file looks like this:
testuser Cleartext-Password := "testpassword"
##Tunnel-Tag = 0,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "104"
There is this whole line in the eap.conf file:
copy_request_to_tunnel = yes
Running config:
net055#show running-config
config-file-header
net055
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
default-vlan vlan 3333
exit
vlan database
vlan 1,100,104,111
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname net055
line console
exec-timeout 30
exit
line ssh
exec-timeout 0
exit
encrypted radius-server host 172.16.200.57 key #REMOVED priority 10 usage dot1.x
radius-server host source-interface vlan 100
management access-list mlist2
permit ip-source 172.16.202.0 mask 255.255.255.0
permit ip-source 172.16.200.0 mask 255.255.255.0
exit
management access-class mlist2
logging buffered debugging
aaa authentication enable default enable none
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted #REMOVED
no service password-recovery
no passwords complexity enable
passwords aging 0
username #REMOVED password encrypted #REMOVED privilege 15
username #REMOVED password encrypted #REMOVED privilege 15
ip ssh server
ip ssh password-auth
ip http timeout-policy 1800 https-only
no ip http server
tacacs-server timeout 10
clock timezone " " 0 minutes 0
clock source sntp
!
interface vlan 100
ip address 172.16.200.21 255.255.255.0
no ip address dhcp
!
interface vlan 104
name gen-0-Gnv-204.0
!
interface vlan 111
name guest-0-Gnv-10-66-61.0
dot1x guest-vlan
!
interface gigabitethernet1
switchport trunk allowed vlan add 100,104,111
!
interface gigabitethernet7
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 104 untagged
no macro auto smartport
!
exit
ip default-gateway 172.16.200.1
Looks like there was a similar questions here, but it seems to have never been resolved:
https://supportforums.Cisco.com/message/3336810#3336810
Hi all
I'm working with Colin and that ends up being a problem of RADIUS. In the file eap.conf, for peap (auth phase 1).
We need to enable copy_request_to_tunnel AND use_tunneled_reply:
{PEAP
# The syringe EAP session needs a default value
# Type of EAP that is distinct from that of
# module EAP-tunneled. Inside of the
# PEAP tunnel, we recommend that you use MS-CHAPv2,
# as the default type is supported by
# Windows clients.
default_eap_type = mschapv2# module has PEAP also of these configuration
Articles of #, which are the same as TTLS.copy_request_to_tunnel = yes
use_tunneled_reply = yesSubsequently, we could see the answers of the test with id user vlan posting it once by response.
See you soon!
-
802. 1 x with assignment of VLANs
Hello
I'm trying to Setup 802. 1 x with assignment of VLANS. I have been successfully obtained the authentication works, but assigning VLAN is not applied. I tried this on a CE500, and WS2950-12 once encountering the same problem.
If I "debug dot1x all the" I get a few messages "dot1x-ev: received VLAN Id - 1", if I'm capturing packets on my radius server, I see that the correct attribute pairs are extinguished. "." Nothing in the notes say that 802. 1 x with dynamic VLAN will not work.
Attribute value pairs
AVP: l = t = Framed-Protocol (7) 6: PPP (1)
AVP: l = t = Service-Type (6) 6: Framed-User (2)
AVP: l = t = Tunnel-Medium-Type (65) 6: Unknown (16777222)
AVP: l = 5 t = Tunnel-Private-Group-Id (81) Tag = 0 x 01:20
AVP: l = t = Tunnel-Type (64) 6: Unknown (16777229)
AVP: l = 6 t = EAP - Message (79) last Segment [1]
AVP: l = 46 t = Class (25): 53F9068C00000137000102000A011E630000000000000000...
AVP: l = 14 t = Vendor-Specific (26) v = Microsoft (311)
AVP: l = 51 t = Vendor-Specific (26) v = Microsoft (311)
AVP: l = 58 t = Vendor-Specific (26) v = Microsoft (311)
AVP: l = 58 t = Vendor-Specific (26) v = Microsoft (311)
AVP: l = 18 t = Message-Authenticator (80): 33B53112C51B15C40BFBDCE687F4C9C4
Please check if all 3 of these attributes are set correctly on the Radius Server:
AVP: l = t = Tunnel-Medium-Type (65) 6: Unknown (16777222)
AVP: l = 5 t = Tunnel-Private-Group-Id (81) Tag = 0 x 01:20
AVP: l = t = Tunnel-Type (64) 6: Unknown (16777229)
It seems that only the Tunnel-private-Group-Id is defined, not the other two.
CFR. http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
-
Cisco ACS, multiple CA, assignment of VLAN relevant to the domain
Hi all
I searched for a solution to a specific customer requirement.
I want authenticate users with certificates from different RootCA wireless and assign them to one VLAN based on their field? Ideally, using the same SSID and a Cisco ACS server.
Is this possible? Has anyone seen that it works?
I realize that the ACS can have trust company for the relevant RootCA (dunno what version is needed for this?). And that assignment VLAN is also possible to a unique SSID based on RADIUS attributes. But I am not sure that these parts would fit together?
Would appreciate some advice!
Thanks in advance
Rob
Hello
Yes, this is possible. I suggest that you implement one by one to make sure that everything works, but no problem to do so. All recent versions of ACS allow this.
You can do mapping group from ad groups (a group for each area, so if you want to) and assign the vlan based on the mapping of this group.
GBA can trust several certification authorities and authenticate users with certificates of all these cases. It's just a matter of import these number certificate in the trust list.
And you can assign the vlan and use only one ssid as well.
I can't guide you on the procedure that it depends on which version you have and if you have IOS ap or WLC, but it is basically each function separated as in the config Guide and just used all together.
Nicolas
===
Remember responses of the rate that you find useful
-
ISE - assignment of VLAN 7.2 WLC
Good evening
The authorization of the Wireless_Employees profile, assign vlan 666 employees wireless.
ISE is passing VLAN 666 to the WLC - see attachment Radius Auth - VLAN666.jpg
When I look on the WLC to wireless employee who has connected to the network, successuflly WLC is him always place in the pre-settings 7 VLAN.
1. can you VLAN be pushed of ISE to the WLC (code 7.2.103) for the specific user session?
2. If so, suggestions, why it does not work for me.
Thank you.
Cath.
Cath,
Here's a guide that will help with dynamic assignment of VLANs on a WLC.
Thank you
Tarik Admani
* Please note the useful messages *. -
Assignment of membership to a VLAN port SMB GUI
Hello
I have difficulties assigning VLANS to a port in the Small Business GUI.
As you can see below, I created 124 VLAN.
Then I want to assign VLANS to a trunk on port 36, but I am not given the choice.
Can someone explain how to allow some VLAN on a trunk? How can I get VLAN to appear in VLAN "select it? Box?
Thank you
Conor-
Hello
This seems to be a browser problem or a firmware issue or both.
Of after the screenshots, you should have VLAN populating the menu join VLANS.
Try to use IE with active display compatibility and see if it works.
Also, check your firmware, here's a link to the download page:
https://software.Cisco.com/download/release.html?mdfid=283771828&SOFTWAR...
If you are not on the last go and update, don't forget that if you run not bootcode 1.3.5 then you will need to upgrade the startup code also.
Please let us know if this helped.
-
ISE Voice Vlan a dynamic assignment using MAB
Hi all
I just configured the ISE and the switch for voice authentication for my phones vlan and users. The issue I'm having is attribution a vlan dynamic voice for my VTC units
Authentication and authorization works well with ISE and I am able to assign the vlan users, but I have problems with the vlan voice.
Any help would be appreciated!
Thank you!
Alex,
We cannot install several VLANs can one voice. -What are you trying to achieve?
Do not push no matter what id vlan in the authorization rule. By pushing the class = attribute voice will assign vlan 210 (vlan voice).
Only the vlan data should be assigned dynamically.
Hope that helps
Kind regards
~ JG
Note the useful messages
Maybe you are looking for
-
What plug-ins are not needed?
I don't know what plug-ins are necessary and should be deleted. Thank you.
-
USB\VID_0CF3 & PID_311D & REV_0001 PCI\VEN_10EC & DEV_5229 & SUBSYS_1858103C & REV_01 PCI\VEN_8086 & DEV_1E22 & SUBSYS_1858103C & REV_04
-
It runs pretending to install: each time restarting the computer up to date appears again; I look at all, I can find no cure for installation is complete on the web. all others so far seem to fill. KB 2530548 tried to install several times. shows tha
-
How to mark a file mp3, audiobooks
I use my Clip + to download and listen to audio books from Overdrive libraray. Periodically, some books will download correctly, but when I transfer them to the player (using a Mac) they places in the music/books/unknown file. Today, I downloaded 2 b
-
click Device Manger CD-ROM/dvd-rom it sayes not charge not driver software allows to code 21 encountered a problem when he tried to run? Everything works fine someone help please!