Dynamic vlan assignment possible via AD?
-
- Member
- Posts: 17
- Joined: 02 Jun 2017 03:20
Dynamic vlan assignment possible via AD?
Hi all ,
just 2 short questions :
1. Is dynamic vlan assignment possible with the 6450 Switches - our Distribution are 6900?
2. If yes - which Kind of ? Only Mac Authentication or what i should Need better : Active Directory?
thx and Regards
just 2 short questions :
1. Is dynamic vlan assignment possible with the 6450 Switches - our Distribution are 6900?
2. If yes - which Kind of ? Only Mac Authentication or what i should Need better : Active Directory?
thx and Regards
Re: Dynamic vlan assignment possible via AD?
yes is possible with Authentication (mac or 802.1x). You need NPS at MS Server. Best way is to send back the option filter-id depending from your AD-Group (f.e. filter-id = teamA for group teamA). Create in your switches unp (same name like filter-id - f.e. teamA) and activate at the ports access guardian (for authentication). At the unp you have to map the vlan. Please look into the network guide for more informations.
regards
Silvio
regards
Silvio
Re: Dynamic vlan assignment possible via AD?
Hello
Can you give me an exapmle on one of your ports.
I have been struguling a couple of day now.
Thank you
Can you give me an exapmle on one of your ports.
I have been struguling a couple of day now.
Thank you
Re: Dynamic vlan assignment possible via AD?
here an example for your access switch (R6):
important is that your radius-server (NPS) is sending back the attribute filter-id with same name like the UNP (case sensitive). In my ex. UNP-Voice or UNP-Data.
If you would like to use a radius server also for mac-auth than you need this lines:
The same here: the received attribute filter-id has to be the same like configured UNP.
To the AD (or other database) all the mac-addresses has to be added - with mac-address as user-name AND mac-address as password (in capital letter, without any colons or dashes)
You can test the connection between switch and Radius-server with the following command:
regards
Silvio
Code: Select all
aaa radius-server RAD-1 host 172.30.30.150 key alcatel
aaa authentication 802.1x RAD-1
vlan port mobile 1/1
vlan port 1/1 802.1x enable
aaa user-network-profile name „UNP-Voice" vlan 30
aaa user-network-profile name „UNP-Data" vlan 31
If you would like to use a radius server also for mac-auth than you need this lines:
Code: Select all
aaa authentication mac RAD-1
802.1x 1/1 non-supplicant policy authentication pass block fail block
To the AD (or other database) all the mac-addresses has to be added - with mac-address as user-name AND mac-address as password (in capital letter, without any colons or dashes)
You can test the connection between switch and Radius-server with the following command:
Code: Select all
> aaa test-radius-server RAD-1 type authentication user 00809F567D04 password 00809F567D04
Testing Radius Server <172.30.30.150/RAD-1>
Access-Challenge from 172.30.30.150 Port 1812 Time: 74 ms
Filter-ID = UNP-Voice
Reply from 172.30.30.150 port 1812 req_num<0>: timeout
Access-Reject from 172.30.30.150 Port 1812 Time: 9 ms
Returned Attributes
Code: Select all
> aaa test-radius-server RAD-1 type authentication user User1 password xxxx
Testing Radius Server <172.30.30.150/RAD-1>
Access-Challenge from 172.30.30.150 Port 1812 Time: 74 ms
Filter-ID = UNP-Data
Reply from 172.30.30.150 port 1812 req_num<0>: timeout
Access-Reject from 172.30.30.150 Port 1812 Time: 9 ms
Returned Attributes
Silvio
Re: Dynamic vlan assignment possible via AD?
Hello
I still cant get it to work
My configuration is the same as your example
Here is the configuration on the switch:
But when i test he conectivity of the radius server it returns the folowing:
The user kabinettest is a user in AD and it is a member of kabinet group.
This is the network policy configuration on the NPS Server for the user kabinettest
Any suggestions would be very helpful.
Thank you
I still cant get it to work
My configuration is the same as your example
Here is the configuration on the switch:
Code: Select all
aaa radius-server "NPS" host 10.2.250.78 key 7dab343c8bc9a861206b3812c1b76289 retransmit 3 timeout 2 auth-p
aaa user-network-profile name "Budget" vlan 4 hic disable
aaa user-network-profile name "IT" vlan 5 hic disable
aaa user-network-profile name "Pravni" vlan 2 hic disable
aaa user-network-profile name "kabinet" vlan 3 hic disable
! PARTM :
! 802.1x :
802.1x 1/3 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/3 captive-portal session-limit 12 retry-count 3
802.1x 1/3 supp-polling retry 2
802.1x 1/3 captive-portal inactivity-logout disable
802.1x 1/3 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/3 non-supplicant policy block
802.1x 1/3 captive-portal policy authentication pass default-vlan fail block
Code: Select all
-> aaa test-radius-server NPS type authentication user kabinettest password Password123
Testing Radius Server <10.2.250.78/NPS>
Access-Reject from 10.2.250.78 Port 1812 Time: 7 ms
Returned Attributes
This is the network policy configuration on the NPS Server for the user kabinettest
Any suggestions would be very helpful.
Thank you
You do not have the required permissions to view the files attached to this post.
Re: Dynamic vlan assignment possible via AD?
Two pictures are not visible here.
Access Reject and no returned attributes hints to an error in NPS config, e.g. wrong psk, wrong CRP, no cleartext methods allowed in NPS.
Using debug logs points you to which policy is used (but NPS log is kinda bad, as e.g. a wrong psk is shown as user rejected (not Radius client uses wrong key)
Access Reject and no returned attributes hints to an error in NPS config, e.g. wrong psk, wrong CRP, no cleartext methods allowed in NPS.
Using debug logs points you to which policy is used (but NPS log is kinda bad, as e.g. a wrong psk is shown as user rejected (not Radius client uses wrong key)
Re: Dynamic vlan assignment possible via AD?
maybe your common key to the Radius is too long. Please, make your test with an easy key.
I have seen limitations at microsoft side...
Also, like devnull is writing, for the test command PAP is necessary. You can check the reason for the issue in diagnostics at the server.
regards
Silvio
I have seen limitations at microsoft side...
Also, like devnull is writing, for the test command PAP is necessary. You can check the reason for the issue in diagnostics at the server.
regards
Silvio
Re: Dynamic vlan assignment possible via AD?
Hello
After upgrading the AOS to 6.7.2 and performing a clean configuration on the switch i finally got the switch to comunicate with the radius server
It returns diffrent atributes for difrent groups.Thats just for testing purposes.
But i stil cant get an ip address on a client pc
Now i get the folowing logs on the NPS Server
Negotiation failed. Requested EAP methods not available Event 1006 and
Negotiation failed. No available EAP methods-Event 1004.
These are the difrent settings for each policy on the NPS Server
After upgrading the AOS to 6.7.2 and performing a clean configuration on the switch i finally got the switch to comunicate with the radius server
Code: Select all
-> aaa test-radius-server NPS type authentication user budgettest password Password123 method pap
Testing Radius Server <10.2.250.78/NPS>
Access-Accept from 10.2.250.78 Port 1812 Time: 13 ms
Returned Attributes
Filter-ID = Budget
Framed Protocol = PPP
Service Type = framed
Tunnel-Medium-Type = IEEE 802
Tunnel Private Group Id = 4
Tunnel-Type = VLAN
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
-> aaa test-radius-server NPS type authentication user kabinettest password Password123 method pap
Testing Radius Server <10.2.250.78/NPS>
Access-Accept from 10.2.250.78 Port 1812 Time: 6 ms
Returned Attributes
Filter-ID = kabinet
Framed Protocol = PPP
Service Type = framed
Tunnel Private Group Id = 3
Tunnel-Type = VLAN
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
-> aaa test-radius-server NPS type authentication user pravnitest password Password123 method pap
Testing Radius Server <10.2.250.78/NPS>
Access-Accept from 10.2.250.78 Port 1812 Time: 15 ms
Returned Attributes
Filter-ID = Pravni
Framed Protocol = PPP
Service Type = framed
Tunnel Private Group Id = 2
Tunnel-Type = VLAN
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
-> aaa test-radius-server NPS type authentication user slobodan.janevski password Password123 method pap
Testing Radius Server <10.2.250.78/NPS>
Access-Accept from 10.2.250.78 Port 1812 Time: 8 ms
Returned Attributes
Filter-ID = IT
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
Unsupported Vendor Specific Id
But i stil cant get an ip address on a client pc
Now i get the folowing logs on the NPS Server
Negotiation failed. Requested EAP methods not available Event 1006 and
Negotiation failed. No available EAP methods-Event 1004.
These are the difrent settings for each policy on the NPS Server
You do not have the required permissions to view the files attached to this post.
Re: Dynamic vlan assignment possible via AD?
In the constrains tab i use difrent settings for testing purposes
Sorry about the double picture.Something is going on my PC
Sorry about the double picture.Something is going on my PC
Re: Dynamic vlan assignment possible via AD?
You do not have the required permissions to view the files attached to this post.