Hello!
This thread is a little bit dated, but for future documentation I wan't to provide a solution which worked for me.
I have a discontinued cisco 2960x switch at version 15.2(7)E6, I think it's the latest version.
I tried to use 802.1x on trunk ports in this version directly, it should be supported since 15.2.x or so.
In the userguide of this version, it is not explicetly noted that 802.1x will not be supported on trunk ports.
But it does not work, no auth session will be initiated.
Now there is a second way to force a port to trunk after a successful authentication: The Cisco-AVPair attribute.
- To get this working, configure the port to authenticate as an access port.
If you use a custom V-Lan instead of V-Lan 1 for management (AP's for example), add the line "switchport access vlan <id>" to the port config.
And if you have to restrict the allowed V-Lan's to specific V-Lan's also add " switchport trunk allowed vlan <id>,<id>".
Furthermore, add all the well known settings to the port which will be needed to get 802.1x and MAB (MAC Auth) working.
And last but not least add "authentication host-mode multi-host" as prerequisite for it to work.
- On ClearPass side, return the Cisco radius value "device-traffic-class=switch" after a successfull 802.1x or MAC auth.
The Cisco Switch will then change the port config to trunk, the "switchport access vlan <id>" line to "switchport trunk native vlan <id>" and takes over the V-Lan id from the "swicht port access vlan <id>" config.
This is not combinable with the setting "authentication host-mode multi-domain", if you liket to return "device-traffic-class=voice" you have to use host-mode multi-host.
A minus point is definitly, that the running config will be modified by returning device-traffic-class=switch.
If you issue "write mem" after a switch or AP was authenticated, the modified port settings will be written to te startup config and the next auth will fail.
So you must permanently audit the port config to a template....
You can find the official cisco documentation regarding this here.
------------------------------
Best regards, mom
------------------------------
Original Message:
Sent: Sep 27, 2020 03:03 PM
From: David Lopez
Subject: Returning multiple tagged VLANS and untagged VLAN from ClearPass to CiscoCatalyst
Hello,
I have to configure VLAN Enforcement of multiples VLANs (tagged and untagged) to Cisco Catalyst Switches.
I already configurated 802.1x on the switch and the services, devices, policies and profiles on ClearPass.
If I enforce only one VLAN, in access mode, using the Radius attribute:
"Tunnel-Private-Group-Id", it works fine. The switch configure the port with the VLAN sent ClearPass by the Radius attribute.
However, we need to configure the port un trunk mode, with one VLAN (VLAN 100) in access and other VLAN (200 and 300 as tagged VLAN).
We need this configuration in order to configure the port to connect an APs in bridge mode. And the requirement is to set the VLAN used be the AP (VLAN 100) in untagged and the WLAN in tagged (vlan 200 and 300).
I already implement this type of configuration on Aruba Switches and It works fine, using the attribute: HPE-Egress-VLAN-ID(64)
However, on the Cisco Catalyst, the attribute is ignored.
Do you know which attribute should we use in ClearPass to enforce tagegd and untagged VLANs ?
Thanks
David