Security

Reply
MVP
Posts: 1,412
Registered: ‎11-30-2011

ClearPass juniper dynamic VLAN

i'm trying to get dynamic VLANs working between Juniper EX switches and ClearPass, everything seems to work except for the VLAN assigment.

 

I get this on the Juniper log:

Apr 12 11:24:11.229779 Received invalid tunnel type 16777229 from authentication server

 

while on the ClearPass i certainly have type 13 (VLAN) configured for tunnel type (64).

 

 

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: ClearPass juniper dynamic VLAN

after doing a packet capture it seems the issue lies with the juniper, the correct info is send by the ClearPass.

 

Tunnel-Type(64)                         VLAN(13)

Tunnel-Medium-Type(65)         IEEE-802(6)

Tunnel-Private-Group-Id(81)    the vlan name (or id, i tried both)

 

and two things the ClearPass adds:

 

Session-Timeout       10800
Termination-Action     RADIUS-Request (1)

 

does anyone have dynamic VLANs working with the ClearPass? especially with different vendor switches? cisco, juniper, ....?

 

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: ClearPass juniper dynamic VLAN

tried to trouble shoot this with juniper support, but nothing wrong seemed to be found.

 

tried with Microsoft IAS instead of ClearPass and then it works ...

 

checked the packetcaptures and it seems they are identical except that IAS sends the data with Radius tag 0x00 and ClearPass does it with tag 0x01.

 

[IAS]

AVP: l=6  t=Tunnel-Type(64) Tag=0x00: VLAN(13)

AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6)

AVP: l=4  t=Tunnel-Private-Group-Id(81): 21

 

[ClearPass]

AVP: l=6  t=Tunnel-Type(64) Tag=0x01: VLAN(13)

AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x01: IEEE-802(6)

AVP: l=5  t=Tunnel-Private-Group-Id(81) Tag=0x01: 20

 

anyone know if i can get the ClearPass to use tag 0x00?

Occasional Contributor I
Posts: 5
Registered: ‎11-17-2011

Re: ClearPass juniper dynamic VLAN

By default ClearPass sets the value of tag to 0x1 as indicated by the packet capture. The steps to send tag 0x0

from ClearPass are:

 

1) Navigate to Administration » Dictionaries » RADIUS screen.

 

2) Search for Avenda RADIUS dictionary and click on the entry. In the RADIUS Attributes

popup, click on Enable to enable the dictionary.

 

3) Edit the enforcement profile and add the attribute

 

      Radius:Avenda       Avenda-Tag-Id               0

 

 

 

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: ClearPass juniper dynamic VLAN

thank you very much (and also Aruba support), this does indeed do the trick and the Juniper EX switch accepts this.

 

a very flexible product ClearPass.

Search Airheads
Showing results for 
Search instead for 
Did you mean: