Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

VLAN enforcement with Cisco SG300

This thread has been viewed 3 times

  • 1.  VLAN enforcement with Cisco SG300

    Posted Nov 24, 2014 10:57 AM

    I'm trying to setup VLAN enforcement on a Cisco SG300 - the swich is logging:

    11-Aug-2014 14:16:56 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with M AC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID

    11-Aug-2014 14:16:56 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

    11-Aug-2014 14:16:56 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

     

    The Clearpass Access-Accept message looks like this:

     

    radius.PNG

     

    Cisco documentation notes:

     

    As noted in RFC2868 , section 3.1: The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.

     

    It would seem that Clearpass is using the tag appropriately since the value pairs all do indeed reference the same tunnel. I'm guessing the Cisco switch is logging "rejected on port gi2 because Radius accept message does not contain VLAN ID" simply because of the "invalid attribute" for tunnel-type and tunnel-medium-type.

     

    Anyone have any insight into this? Is there a way to set the tag to 0x00 instead of 0x01?

     

    Thanks,

    Aaron

     



  • 2.  RE: VLAN enforcement with Cisco SG300

    Posted Nov 24, 2014 11:53 AM

     

    https://supportforums.cisco.com/discussion/11633356/sg300-52-radius-not-working-aaa-w-reject 

     

    or try using authenticate only (8) instead 



  • 3.  RE: VLAN enforcement with Cisco SG300

    Posted Nov 24, 2014 01:23 PM

    I tried both Administrative (6) and Authenticate-only (8) - but, no joy for either:

     


    06-Aug-2014 12:15:33 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID

    06-Aug-2014 12:15:33 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

    06-Aug-2014 12:15:33 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0



  • 4.  RE: VLAN enforcement with Cisco SG300
    Best Answer



  • 5.  RE: VLAN enforcement with Cisco SG300

    Posted Nov 24, 2014 02:37 PM

    Setting Avenda Tag-Id to 0 in the profile worked! Many thanks!

     

    06-Aug-2014 13:24:37 :%SEC-I-SUPPLICANTAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 is authorized on port gi2

    06-Aug-2014 13:24:37 :%SEC-I-PORTAUTHORIZED: Port gi2 is Authorized