I'm facing a problem with 802.1x/Radius (Windows Server 2008) and Vlan assignment on OS6860.
After searching and searching about Access Guardian 2.0, I do a 802.1x config with success.
I uses UNP, with templates etc, and if 802.1x auth success I map on a user-vlan, if it fails I map on a guest vlan. All of it works well, the authentication pass successful and if not the port go on the Guest Vlan (20)
But now I have to send Vlan depending on the user on the AD. i.e for user1 port go on Vlan 1 and for user2 port go on Vlan 10.
I enabled mobile-tag on my switch UNP-template, send the good parameters from Radius server in the NPS (Tunnel-Medium-Type, Tunnel-Type and Tunnel-Pvt-Group-ID) but the port never change the Vlan. I'm always on default-Vlan and the unpUntag Vlan Guest.
If I capture packets on my server, I see the 802.1x authentication, success, but no DHCP request because if I do a show vlan members port 1/1/x I don't see the good Vlan.
Here is my config, it may be useful for people like me who search things about Access Guardian 2.0
Someone can help me ? I don't know where is the mistake. Thanks in advance
vlan 10 name "Data-Lyon"
vlan 20 name "Guests"
vlan 67 name "Voix-Lyon"
vlan 99 name "Default"
ip interface "Collabo-Lyon" address 172.31.11.14 mask 255.255.255.0 vlan 1 ifindex 1
ip interface "Data-Lyon" address 172.31.1.14 mask 255.255.255.0 vlan 10 ifindex 4
aaa radius-server "rad1" host 172.31.1.11 key Alcatel
aaa device-authentication 802.1x "rad1"
aaa accounting 802.1x "rad1"
aaa 802.1x re-authentication enable
aaa 802.1x re-authentication trust-radius enable
aaa radius nas-identifier user-string "swslib"
aaa profile "aaaprof1"
aaa profile "aaaprof1" device-authentication 802.1x "rad1"
aaa profile "aaaprof1" accounting 802.1x "rad1"
aaa profile "aaaprof1" 802.1x re-authentication enable
aaa profile "aaaprof1" 802.1x re-authentication trust-radius enable
aaa profile "aaaprof1" radius nas-identifier user-string "swslib"
ip helper per-vlan-only
ip helper vlan 1 address 172.31.1.11
ip helper vlan 10 address 172.31.1.11
qos trust-ports
policy condition SoftPhonesDSCP dscp 46
policy condition VlanVoix source vlan 67
policy action PrioMax priority 7 dscp 46
policy rule PrioSoftPhones condition SoftPhonesDSCP action PrioMax
policy rule PrioVlanVoix condition VlanVoix action PrioMax
policy list PolicyList1 type unp
policy list PolicyList1 rules PrioSoftPhones PrioVlanVoix
qos port 1/1/1-48 trusted
qos apply
unp edge-profile Employee
unp edge-profile Employee qos-policy-list PolicyList1
unp edge-profile Employee mobile-tag enable
unp edge-profile Guests
unp edge-profile Voix
unp edge-profile Voix qos-policy-list PolicyList1
unp vlan-mapping edge-profile Guests vlan 20
unp vlan-mapping edge-profile Voix vlan 67
unp auth-server-down edge-profile Guests
unp edge-template Template1
unp edge-template Template1 802.1x-authentication enable
unp edge-template Template1 classification enable
unp edge-template Template1 aaa-profile aaaprof1
unp port 1/1/1-48 port-type edge
unp port 1/1/1-48 edge-template Template1
unp classification mac-address-range 00:80:9f:00:00:00 00:80:9f:ff:ff:ff edge-profile Voix
unp classification authentication-type 802.1x edge-profile Employee
unp classification authentication-type 802.1x fail edge-profile Guests
unp user-role EmployeeRole
unp user-role EmployeeRole policy-list PolicyList1
unp user-role EmployeeRole edge-profile Employee
unp user-role EmployeeRole authentication-type 802.1x
unp user-role GuestRole
unp user-role GuestRole edge-profile Guests
unp user-role GuestRole authentication-type 802.1x Fail
unp user-role VoiceRole
unp user-role VoiceRole policy-list PolicyList1
unp user-role VoiceRole edge-profile Voix
