Security

Reply
Occasional Contributor II

VLAN enforcement with Cisco SG300

I'm trying to setup VLAN enforcement on a Cisco SG300 - the swich is logging:

11-Aug-2014 14:16:56 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with M AC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID

11-Aug-2014 14:16:56 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

11-Aug-2014 14:16:56 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

 

The Clearpass Access-Accept message looks like this:

 

radius.PNG

 

Cisco documentation notes:

 

As noted in RFC2868 , section 3.1: The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. Valid values for this field are 0x01 through 0x1F, inclusive. If the Tag field is unused, it must be zero (0x00). Refer to RFC 2868 for more information on all RADIUS attributes.

 

It would seem that Clearpass is using the tag appropriately since the value pairs all do indeed reference the same tunnel. I'm guessing the Cisco switch is logging "rejected on port gi2 because Radius accept message does not contain VLAN ID" simply because of the "invalid attribute" for tunnel-type and tunnel-medium-type.

 

Anyone have any insight into this? Is there a way to set the tag to 0x00 instead of 0x01?

 

Thanks,

Aaron

 

Re: VLAN enforcement with Cisco SG300

 

https://supportforums.cisco.com/discussion/11633356/sg300-52-radius-not-working-aaa-w-reject 

 

or try using authenticate only (8) instead 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: VLAN enforcement with Cisco SG300

I tried both Administrative (6) and Authenticate-only (8) - but, no joy for either:

 


06-Aug-2014 12:15:33 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID

06-Aug-2014 12:15:33 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

06-Aug-2014 12:15:33 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Re: VLAN enforcement with Cisco SG300

See this
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-is-not-setting-tunnel-tag-to-0-when-trying-to-do/m-p/189473#M14031
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: VLAN enforcement with Cisco SG300

Setting Avenda Tag-Id to 0 in the profile worked! Many thanks!

 

06-Aug-2014 13:24:37 :%SEC-I-SUPPLICANTAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 is authorized on port gi2

06-Aug-2014 13:24:37 :%SEC-I-PORTAUTHORIZED: Port gi2 is Authorized

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: