Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments

This thread has been viewed 9 times

  • 1.  Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments

    Posted Jun 25, 2014 04:32 PM

    I am trying to pass 802.1x dynamic vlan assignment to a Dell Powerconnect 3524.  I have ClearPass set up to pass RADIUS:IETF Tunnel-Type=VLAN, Tunnel-Medium-Type=IEEE-802, and Tunnel-Private-Grp-ID=<VLAN ID>

     

    However on the switch I get this:

     

    21-Jan-2001 03:24:57 :%SEC-W-SUPPLICANTUNAUTHORIZED: MAC  was rejected on port 6/e9 because Radius accept message does not contain VLAN ID

    21-Jan-2001 03:24:57 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0

    21-Jan-2001 03:24:57 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0

     

    I would assume this is talking about RFC 2868, but I see anywhere in Clearpass to force the Tunnel-Tag to 0.

     

    Help please.

     

    Thanks

     

    Dennis



  • 2.  RE: Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments

    Posted Jun 30, 2014 05:55 AM

    On some other switch vendors you can specify whether the VLAN should be tagged or untagged under the Tunnel-Private-Group-ID Attribute as follows:

     

    untagged vlan 100:

    U:100

     

    tagged vlan 100:

    T:100

     

    untagged vlan 100 and tagged VLAN 200:

    U:100;T:200

     

    maybe this is something the Dell switches support??



  • 3.  RE: Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments
    Best Answer

    Posted Jul 25, 2014 02:14 PM

    Aruba support could not help even though it was something in Aruba that needed changed.  I ended up getting help from Dell.  To set the RFC 2868 tag to 0, you need to enable the Avenda RADIUS dictionary and include in enforcement profile the Avenda-Tag-Id needs to be set to 0.  Once this is done, the switch accepts the other three parameters.

     

    Thanks



  • 4.  RE: Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments

    Posted Dec 03, 2018 05:52 PM

    I recently had this issue on ClearPass 6.7.x, but with a twist. My NAS is a Dell 5548P.

     

    This solution was what I needed, but when I enabled the Avenda dictionary and set the attribute to '0', I never saw the attribute sent back in access tracker adn authentication still didn't work.

     

    Upon exporting the Enforcement Policy, I found the following line:

    <Attribute displayValue="0" value="" name="Avenda-Tag-Id" type="Radius:Avenda"/>

    Replacing it with the following and re-importing the enforcemnt policy XML fixed my issue--the attribute was sent along and authentications started working.

    <Attribute displayValue="0" value="0" name="Avenda-Tag-Id" type="Radius:Avenda"/>


  • 5.  RE: Clearpass is not setting tunnel-tag to 0 when trying to do dynamic vlan assignments

    Posted Mar 26, 2019 12:29 PM