last person joined: 17 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

macAuth failing to assign vlan

  • 1.  macAuth failing to assign vlan

    Posted Apr 17, 2019 04:43 PM
      |   view attached

    My appologies if this is in the wrong forum but i'm having issues with macAuth on a 2530 where the switch fails to assign a vlan once the host passes authentication. ClearPass Access tracker shows that the host is using the correct service policy and the enforcement profile is assigning the correct vlan but then the accounting tab of access tracker shows NAS-Error for the termination clause.


    I'm getting a log entry on the switch of:

    W 04/17/19 14:22:54 02400 dca: macAuth client, RADIUS-assigned VID validation
    error. MAC 00104932DB18 port 1 VLAN-Id 0 or unknown.



    switch3.txt   3K 1 version

  • 2.  RE: macAuth failing to assign vlan

    Posted Apr 17, 2019 04:54 PM

     Hello if the Clearpass says a Auth success and returning the proper VLAN/Role, please check on the switch for this user if it has a VLAN or role post auth. If that is correct, we need to check the config on the switch related to that Vlan.


    I would encourage you to open a Switch case, to solve it sooner.

  • 3.  RE: macAuth failing to assign vlan

    Posted Apr 18, 2019 04:12 AM

    What is the attribute that you return in ClearPass? For VLAN assignment on the switch, you should use the VLAN enforcement template that uses the IETF Tunnel-Private-Group-Id, Tunnel-Type, Tunnel-Media-Type, and Termination-Action attributes. Or the HPE-Egress-VLAN-ID would work as an alternative. The Aruba-User-VLAN attribute is supported by Instant, Controller and Branch Gateway only.


    Screen Shot 2019-04-18 at 10.07.50.png

    Screen Shot 2019-04-18 at 10.07.36.png

    Screenshot at Apr 18 10-10-46.png

  • 4.  RE: macAuth failing to assign vlan

    Posted Apr 25, 2019 10:40 AM

    I solved the issue with MacAuth failing to assign the correct vlan.


    ClearPass had the vlan name as VoIP.  I had defined the vlan name on the switch as VOIP.  ClearPass was sending a command for a vlan that didn't exist.

    Silly mistake that I blew past several times until let it sit for a bit and went back with fresh eyes.

  • 5.  RE: macAuth failing to assign vlan

    Posted May 22, 2020 02:13 PM

     I solved similar case and it was all about conversion from hexa to decimal, 

    My case was to assign tagged vlan ID = 3 

    the mistake i was made: 

    0x310003  ---> convert to decimal --> 3211267


    and this is the right way to convert: 

    0x31000003  --->  convert to decimal --> 822083587