04-12-2012 03:02 AM
i'm trying to get dynamic VLANs working between Juniper EX switches and ClearPass, everything seems to work except for the VLAN assigment.
I get this on the Juniper log:
Apr 12 11:24:11.229779 Received invalid tunnel type 16777229 from authentication server
while on the ClearPass i certainly have type 13 (VLAN) configured for tunnel type (64).
Solved! Go to Solution.
04-12-2012 08:36 AM
after doing a packet capture it seems the issue lies with the juniper, the correct info is send by the ClearPass.
Tunnel-Private-Group-Id(81) the vlan name (or id, i tried both)
and two things the ClearPass adds:
Termination-Action RADIUS-Request (1)
does anyone have dynamic VLANs working with the ClearPass? especially with different vendor switches? cisco, juniper, ....?
04-13-2012 01:47 AM
tried to trouble shoot this with juniper support, but nothing wrong seemed to be found.
tried with Microsoft IAS instead of ClearPass and then it works ...
checked the packetcaptures and it seems they are identical except that IAS sends the data with Radius tag 0x00 and ClearPass does it with tag 0x01.
AVP: l=6 t=Tunnel-Type(64) Tag=0x00: VLAN(13)
AVP: l=6 t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6)
AVP: l=4 t=Tunnel-Private-Group-Id(81): 21
AVP: l=6 t=Tunnel-Type(64) Tag=0x01: VLAN(13)
AVP: l=6 t=Tunnel-Medium-Type(65) Tag=0x01: IEEE-802(6)
AVP: l=5 t=Tunnel-Private-Group-Id(81) Tag=0x01: 20
anyone know if i can get the ClearPass to use tag 0x00?
04-13-2012 08:04 AM
By default ClearPass sets the value of tag to 0x1 as indicated by the packet capture. The steps to send tag 0x0
from ClearPass are:
1) Navigate to Administration » Dictionaries » RADIUS screen.
2) Search for Avenda RADIUS dictionary and click on the entry. In the RADIUS Attributes
popup, click on Enable to enable the dictionary.
3) Edit the enforcement profile and add the attribute
Radius:Avenda Avenda-Tag-Id 0