Security

Hello,

In my journey to learn more of Clearpass, I decided to test the dynamic VLAN feature against a consumer-grade switch I have here at my home. I got as far as my service recognizing the policy and sending a RADIUS response. For some reason the switch won't recognize it responding with the following error:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Initially I used these attributes.

Radius:IETF:Tunnel-Medium-Type (attribute 65)

Radius:IETF:Tunnel-Private-Group-Id

Radius:IETF:Tunnel-Type (attribute 64)

When I adjusted the configuration only sending ":IETF:Tunnel-Private-Group-Id" based on the output that attribute 64 and 65 weren't recognized. I received this message below.

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Initially I had configured the RADIUS setting in Clearpass to use: IETF:Tunnel-Private-Group-Id: 25. I adjusted it later to 39 in anticipation to the message tag should be 0 or greater then 31 . But this did not work.

Am I overlooking something? I am hoping from one hobbyist to another someone has encountered something similar in a home lab as well, or observe a mistake in my configuration below.

In parallel I will reach out to Netgear to see if it can be solved through that way. If so, I will definitely share this information with the community!

NAD-IP-Address: 10.254.254.61 is netgear switch

Here's some screenshots. Hope you can help me.

Hello,

In my journey to learn more of Clearpass, I decided to test the dynamic VLAN feature against a consumer-grade switch I have here at my home. I got as far as my service recognizing the policy and sending a RADIUS response. For some reason the switch won't recognize it responding with the following error:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Initially I used these attributes.

Radius:IETF:Tunnel-Medium-Type (attribute 65)

Radius:IETF:Tunnel-Private-Group-Id

Radius:IETF:Tunnel-Type (attribute 64)

When I adjusted the configuration only sending ":IETF:Tunnel-Private-Group-Id" based on the output that attribute 64 and 65 weren't recognized. I received this message below.

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Initially I had configured the RADIUS setting in Clearpass to use: IETF:Tunnel-Private-Group-Id: 25. I adjusted it later to 39 in anticipation to the message tag should be 0 or greater then 31 . But this did not work.

Am I overlooking something? I am hoping from one hobbyist to another someone has encountered something similar in a home lab as well, or observe a mistake in my configuration below.

In parallel I will reach out to Netgear to see if it can be solved through that way. If so, I will definitely share this information with the community!

NAD-IP-Address: 10.254.254.61 is netgear switch

Here's some screenshots. Hope you can help me.

Hello,

In my journey to learn more of Clearpass, I decided to test the dynamic VLAN feature against a consumer-grade switch I have here at my home. I got as far as my service recognizing the policy and sending a RADIUS response. For some reason the switch won't recognize it responding with the following error:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Initially I used these attributes.

Radius:IETF:Tunnel-Medium-Type (attribute 65)

Radius:IETF:Tunnel-Private-Group-Id

Radius:IETF:Tunnel-Type (attribute 64)

When I adjusted the configuration only sending ":IETF:Tunnel-Private-Group-Id" based on the output that attribute 64 and 65 weren't recognized. I received this message below.

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Initially I had configured the RADIUS setting in Clearpass to use: IETF:Tunnel-Private-Group-Id: 25. I adjusted it later to 39 in anticipation to the message tag should be 0 or greater then 31 . But this did not work.

Am I overlooking something? I am hoping from one hobbyist to another someone has encountered something similar in a home lab as well, or observe a mistake in my configuration below.

In parallel I will reach out to Netgear to see if it can be solved through that way. If so, I will definitely share this information with the community!

NAD-IP-Address: 10.254.254.61 is netgear switch

Here's some screenshots. Hope you can help me.

I actually found an article on Airheads from 2014, pretty much the same error message but with a different vendor. I am trying to see if the switch will allow me to update the support RADIUS attributes, if it works out I will share it 

Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments | Security

Hello,

In my journey to learn more of Clearpass, I decided to test the dynamic VLAN feature against a consumer-grade switch I have here at my home. I got as far as my service recognizing the policy and sending a RADIUS response. For some reason the switch won't recognize it responding with the following error:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Initially I used these attributes.

Radius:IETF:Tunnel-Medium-Type (attribute 65)

Radius:IETF:Tunnel-Private-Group-Id

Radius:IETF:Tunnel-Type (attribute 64)

When I adjusted the configuration only sending ":IETF:Tunnel-Private-Group-Id" based on the output that attribute 64 and 65 weren't recognized. I received this message below.

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Initially I had configured the RADIUS setting in Clearpass to use: IETF:Tunnel-Private-Group-Id: 25. I adjusted it later to 39 in anticipation to the message tag should be 0 or greater then 31 . But this did not work.

Am I overlooking something? I am hoping from one hobbyist to another someone has encountered something similar in a home lab as well, or observe a mistake in my configuration below.

In parallel I will reach out to Netgear to see if it can be solved through that way. If so, I will definitely share this information with the community!

NAD-IP-Address: 10.254.254.61 is netgear switch

Here's some screenshots. Hope you can help me.

Avenda:Avenda-Tag-Id, return that attribute with a value of 0.

I actually found an article on Airheads from 2014, pretty much the same error message but with a different vendor. I am trying to see if the switch will allow me to update the support RADIUS attributes, if it works out I will share it 

Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments | Security

Hello,

In my journey to learn more of Clearpass, I decided to test the dynamic VLAN feature against a consumer-grade switch I have here at my home. I got as far as my service recognizing the policy and sending a RADIUS response. For some reason the switch won't recognize it responding with the following error:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Initially I used these attributes.

Radius:IETF:Tunnel-Medium-Type (attribute 65)

Radius:IETF:Tunnel-Private-Group-Id

Radius:IETF:Tunnel-Type (attribute 64)

When I adjusted the configuration only sending ":IETF:Tunnel-Private-Group-Id" based on the output that attribute 64 and 65 weren't recognized. I received this message below.

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Initially I had configured the RADIUS setting in Clearpass to use: IETF:Tunnel-Private-Group-Id: 25. I adjusted it later to 39 in anticipation to the message tag should be 0 or greater then 31 . But this did not work.

Am I overlooking something? I am hoping from one hobbyist to another someone has encountered something similar in a home lab as well, or observe a mistake in my configuration below.

In parallel I will reach out to Netgear to see if it can be solved through that way. If so, I will definitely share this information with the community!

NAD-IP-Address: 10.254.254.61 is netgear switch

Here's some screenshots. Hope you can help me.

Thanks, unfortunately, I am still fighting with this, I got a little further now. When adding the Avenda-Tag-Id I am no longer receiving error messages about attribute 64 and 65 which still are being send in the accept message (see below).

However in each case I kept receiving the message: was rejected on port g3 because Radius accept message does not contain VLAN ID

I started editing the XLM file which was a bit easier in this case and used the syntax below.

    <RadiusEnfProfile description="" name="Lab 10 802.1X Wired assign VLAN 25 Netgear" action="Accept">
      <AttributeList>
        <Attribute displayValue="25" value="VLAN ID:25" name="Tunnel-Private-Group-Id" type="Radius:IETF"/>
        <Attribute displayValue="IEEE-802 (6)" value="6" name="Tunnel-Medium-Type" type="Radius:IETF"/>
        <Attribute displayValue="VLAN" value="13" name="Tunnel-Type" type="Radius:IETF"/>
        <Attribute displayValue="0" value="0" name="Avenda-Tag-Id" type="Radius:Avenda"/>
      </AttributeList>
    </RadiusEnfProfile>

I tried:

• Changing the order of the attributes
• Adding quotes to change is from integer to string
• Using U:25 and U:Data instead of the VLAN ID
• Nothing seems to work

On a positive note , I learned that it can be easy to edit profiles using XML and that order of attributes can influence the outcome (however not in my case it seems), but I still cannot get it to work. ChatGPT suggests NETGEAR-AVPair however google says "NO", I cannot find any Netgear attributes. 

Wonder if this is the end or if there is something else I can tinker with :). Thanks so far for the responses

------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company

Original Message:
Sent: Mar 10, 2025 05:21 PM
From: chulcher
Subject: Dynamic VLAN assignment with Clearpass

Avenda:Avenda-Tag-Id, return that attribute with a value of 0.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 10, 2025 03:54 PM
From: mvanoverbeek
Subject: Dynamic VLAN assignment with Clearpass

I actually found an article on Airheads from 2014, pretty much the same error message but with a different vendor. I am trying to see if the switch will allow me to update the support RADIUS attributes, if it works out I will share it 

Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments | Security

------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company

Original Message:
Sent: Mar 09, 2025 04:19 PM
From: willembargeman
Subject: Dynamic VLAN assignment with Clearpass

Never used netgear switches. Did a quick search and found this article. Did you enable the VLAN assignment mode? I believe it's an old doc but maybe still applies.

https://www.downloads.netgear.com/files/answers/Dynamic%20VLAN%20Assignment%20using%20RADIUS.pdf

---------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Mar 09, 2025
From: mvanoverbeek
Subject: Dynamic VLAN assignment with Clearpass

Hello,

In my journey to learn more of Clearpass, I decided to test the dynamic VLAN feature against a consumer-grade switch I have here at my home. I got as far as my service recognizing the policy and sending a RADIUS response. For some reason the switch won't recognize it responding with the following error:

08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

Initially I used these attributes.

Radius:IETF:Tunnel-Medium-Type (attribute 65)

Radius:IETF:Tunnel-Private-Group-Id

Radius:IETF:Tunnel-Type (attribute 64)

When I adjusted the configuration only sending ":IETF:Tunnel-Private-Group-Id" based on the output that attribute 64 and 65 weren't recognized. I received this message below.

08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID

08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31

Initially I had configured the RADIUS setting in Clearpass to use: IETF:Tunnel-Private-Group-Id: 25. I adjusted it later to 39 in anticipation to the message tag should be 0 or greater then 31 . But this did not work.

Am I overlooking something? I am hoping from one hobbyist to another someone has encountered something similar in a home lab as well, or observe a mistake in my configuration below.

In parallel I will reach out to Netgear to see if it can be solved through that way. If so, I will definitely share this information with the community!

NAD-IP-Address: 10.254.254.61 is netgear switch

Here's some screenshots. Hope you can help me.

------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------