I am trying to install Cisco ISE 2.1 to be used as a RADIUS server with 802.1x on my switches. I want to dynamically assign a VLAN based to a user who connects on the switch port.
The problem is that, although my end client is authenticated and authorized by ISE, the VLAN id never gets received on the switch from ISE.
On ISE, I see my end user being authenticated with the correct policy, and authorized with the policy I created.
As seen on this image, I want to assign VLAN 56. However, my port does not get this information and stays in the hardcoded VLAN.
What could be the issue here?
Could it be that RADIUS options 064,065,081 are not forwarded from the ISE to the switch? I have a firewall between them.
Here is the configuration for dot1x on my switch :
aaa new-model
aaa group server tacacs+ ServISE
server-private X.X.X.X key XXXXX
aaa authentication login default local
aaa authentication login CON none
aaa authentication login VTY group ServISE local
aaa authentication dot1x default group radius local
aaa authorization console
aaa authorization exec CON none
aaa authorization exec VTY group ServISE local if-authenticated
aaa authorization network default group radius
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key 7 XXXX
interface FastEthernet0/10
switchport access vlan 88
switchport mode access
switchport voice vlan 372
authentication event fail action next-method
authentication event server dead action authorize vlan 56
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
spanning-tree portfast
And here is an output when the end user is authenticated through dot1x :
Dot1x Info for FastEthernet0/10
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_AUTH
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
Dot1x Authenticator Client List
-------------------------------
Supplicant = 34e6.d735.483c
Session ID = 84A8A830000000254EE2CCAB
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Here is the output of a debug dot1x all
275: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): dot1x_exec_reauth_interface: Reauthenticating Authenticator instances
276: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting REAUTHENTICATE on Client 0xF5000034
277: Jun 16 18:30:40.370: dot1x_auth Fa0/10: during state auth_authenticated, got event 17(reAuthenticate)
278: Jun 16 18:30:40.370: @@@ dot1x_auth Fa0/10: auth_authenticated -> auth_restart
279: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_authenticated_exit called
280 Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_restart_enter called
281: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Sending create new context event to EAP for 0xF5000034 (34e6.d735.483c)
282: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_authenticated_restart_action called
283: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting !EAP_RESTART on Client 0xF5000034
284: Jun 16 18:30:40.370: dot1x_auth Fa0/10: during state auth_restart, got event 6(no_eapRestart)
285: Jun 16 18:30:40.370: @@@ dot1x_auth Fa0/10: auth_restart -> auth_connecting
286: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_connecting_enter called
287: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_restart_connecting_action called
288: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting RX_REQ on Client 0xF5000034
289: Jun 16 18:30:40.370: dot1x_auth Fa0/10: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
290: Jun 16 18:30:40.370: @@@ dot1x_auth Fa0/10: auth_connecting -> auth_authenticating
291: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_authenticating_enter called
292: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_connecting_authenticating_action called
293: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): Posting AUTH_START for 0xF5000034
294: Jun 16 18:30:40.370: dot1x_auth_bend Fa0/10: during state auth_bend_idle, got event 4(eapReq_authStart)
295: Jun 16 18:30:40.370: @@@ dot1x_auth_bend Fa0/10: auth_bend_idle -> auth_bend_request
296: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_request_enter called
297: Jun 16 18:30:40.370: dot1x-packet(Fa0/10): EAP code: 0x1 id: 0x4E length: 0x0005 type: 0x1 data:
298: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Sending EAPOL packet to 34e6.d735.483c
299: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Role determination not required
300: Jun 16 18:30:40.370: dot1x-registry:registry:dot1x_ether_macaddr called
301: Jun 16 18:30:40.370: dot1x-ev(Fa0/10): Sending out EAPOL packet
302: Jun 16 18:30:40.370: EAPOL pak dump Tx
303: Jun 16 18:30:40.370: EAPOL Version: 0x2 type: 0x0 length: 0x0005
304: Jun 16 18:30:40.370: EAP code: 0x1 id: 0x4E length: 0x0005 type: 0x1
305: Jun 16 18:30:40.370: dot1x-packet(Fa0/10): EAPOL packet sent to client 0xF5000034 (34e6.d735.483c)
306: Jun 16 18:30:40.370: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_idle_request_action called
307: Jun 16 18:30:40.378: dot1x-ev(Fa0/10): Role determination not required
308: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Queuing an EAPOL pkt on Authenticator Q
309: Jun 16 18:30:40.378: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
310: Jun 16 18:30:40.378: EAPOL pak dump rx
311: Jun 16 18:30:40.378: EAPOL Version: 0x1 type: 0x0 length: 0x0020
312: Jun 16 18:30:40.378: dot1x-ev:dot1x_auth_queue_event: Int Fa0/10 CODE= 2,TYPE= 1,LEN= 32
313: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Received an EAPOL frame
314: Jun 16 18:30:40.378: dot1x-ev(Fa0/10): Received pkt saddr =34e6.d735.483c , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.0020
315: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Received an EAP packet
316: Jun 16 18:30:40.378: EAPOL pak dump rx
317: Jun 16 18:30:40.378: EAPOL Version: 0x1 type: 0x0 length: 0x0020
318: Jun 16 18:30:40.378: dot1x-packet(Fa0/10): Received an EAP packet from 34e6.d735.483c
319: Jun 16 18:30:40.378: dot1x-sm(Fa0/10): Posting EAPOL_EAP for 0xF5000034
320: Jun 16 18:30:40.378: dot1x_auth_bend Fa0/10: during state auth_bend_request, got event 6(eapolEap)
321: Jun 16 18:30:40.378: @@@ dot1x_auth_bend Fa0/10: auth_bend_request -> auth_bend_response
322: Jun 16 18:30:40.378: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_response_enter called
323: Jun 16 18:30:40.378: dot1x-ev(Fa0/10): dot1x_sendRespToServer: Response sent to the server from 0xF5000034 (34e6.d735.483c)
324: Jun 16 18:30:40.378: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_request_response_action called
325: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): Posting EAP_REQ for 0xF5000034
326: Jun 16 18:30:40.395: dot1x_auth_bend Fa0/10: during state auth_bend_response, got event 7(eapReq)
327: Jun 16 18:30:40.395: @@@ dot1x_auth_bend Fa0/10: auth_bend_response -> auth_bend_request
328: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_response_exit called
329: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_request_enter called
330: Jun 16 18:30:40.395: dot1x-packet(Fa0/10): EAP code: 0x1 id: 0x2B length: 0x0006 type: 0xD data:
331: Jun 16 18:30:40.395: dot1x-ev(Fa0/10): Sending EAPOL packet to 34e6.d735.483c
332: Jun 16 18:30:40.395: dot1x-ev(Fa0/10): Role determination not required
333: Jun 16 18:30:40.395: dot1x-registry:registry:dot1x_ether_macaddr called
334: Jun 16 18:30:40.395: dot1x-ev(Fa0/10): Sending out EAPOL packet
335: Jun 16 18:30:40.395: EAPOL pak dump Tx
336: Jun 16 18:30:40.395: EAPOL Version: 0x2 type:0x0 length: 0x0006
337: Jun 16 18:30:40.395: EAP code: 0x1 id: 0x2B length: 0x0006 type: 0xD
338: Jun 16 18:30:40.395: dot1x-packet(Fa0/10): EAPOL packet sent to client 0xF5000034 (34e6.d735.483c)
339: Jun 16 18:30:40.395: dot1x-sm(Fa0/10): 0xF5000034:auth_bend_response_request_action called
340: Jun 16 18:30:40.404: dot1x-ev(Fa0/10): Role determination not required
341: Jun 16 18:30:40.404: dot1x-packet(Fa0/10): Queuing an EAPOL pkt on Authenticator Q
342: Jun 16 18:30:40.404: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
343: Jun 16 18:30:40.404: EAPOL pak dump rx
344: Jun 16 18:30:40.404: EAPOL Version: 0x1 type: 0x0 length: 0x0006
345: Jun 16 18:30:40.404: dot1x-ev:dot1x_auth_queue_event: Int Fa0/10 CODE= 2,TYPE= 3,LEN= 6
Here is the output for "debug radius authentication"
685: Jun 17 09:06:23.838: RADIUS/ENCODE(000004D5):Orig. component type = DOT1X
686: Jun 17 09:06:23.838: RADIUS(000004D5): Config NAS IP: 0.0.0.0
687: Jun 17 09:06:23.838: RADIUS/ENCODE(000004D5): acct_session_id: 1237
688: Jun 17 09:06:23.838: RADIUS(000004D5): sending
689: Jun 17 09:06:23.838: RADIUS/ENCODE: Best Local IP-Address 1.1.1.1 for Radius-Server X.X.X.X
690: Jun 17 09:06:23.838: RADIUS(000004D5): Send Access-Request to X.X.X.X:1645 id 1645/16, len 236
691: Jun 17 09:06:23.838: RADIUS: authenticator C8 97 74 7C 01 99 CE 9E - 11 D2 87 96 10 15 A4 43
692: Jun 17 09:06:23.838: RADIUS: User-Name [1] 29 "host/MyComputer.testdomain.com"
693: Jun 17 09:06:23.838: RADIUS: Service-Type [6] 6 Framed [2]
694: Jun 17 09:06:23.838: RADIUS: Framed-MTU [12] 6 1500
695: Jun 17 09:06:23.838: RADIUS: Called-Station-Id [30] 19 "C8-F9-F9-C9-45-0C"
696: Jun 17 09:06:23.838: RADIUS: Calling-Station-Id [31] 19 "34-E6-D7-35-48-3C"
697: Jun 17 09:06:23.838: RADIUS: EAP-Message [79] 34
698: Jun 17 09:06:23.838: RADIUS: 02 85 00 20 01 68 6F 73 74 2F 47 52 45 30 34 37 39 34 37 2E [ host/MyComputer.]
699: Jun 17 09:06:23.838: RADIUS: 69 6E 74 72 61 2E 63 65 61 2E 66 72 [ testdomain.com]
700: Jun 17 09:06:23.838: RADIUS: Message-Authenticato[80] 18
701: Jun 17 09:06:23.838: RADIUS: 02 09 C8 4B FC 82 96 B9 61 8A 24 F6 81 4A 0B C2[ Ka$J]
702: Jun 17 09:06:23.846: RADIUS: Vendor, Cisco [26] 49
703: Jun 17 09:06:23.846: RADIUS: Cisco AVpair [1] 43 "audit-session-id=84A8A830000000254EE2CCAB"
704: Jun 17 09:06:23.846: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
705: Jun 17 09:06:23.846: RADIUS: NAS-Port [5] 6 5 0
706: Jun 17 09:06:23.846: RADIUS: NAS-Port-Id [87] 18 "FastEthernet0/10"
707: Jun 17 09:06:23.846: RADIUS: NAS-IP-Address [4] 6 1.1.1.1
708: Jun 17 09:06:23.846: RADIUS: Received from id 1645/16 X.X.X.X:1645, Access-Challenge, len 127
709: Jun 17 09:06:23.846: RADIUS: authenticator 71 6A C0 FC 82 FE 8A 64 - 22 FA 09 EE 44 33 5A ED
710: Jun 17 09:06:23.846: RADIUS: State [24] 81
711: Jun 17 09:06:23.846: RADIUS: 33 37 43 50 4D 53 65 73 73 69 6F 6E 49 44 3D 38 [37CPMSessionID=8]
712: Jun 17 09:06:23.855: RADIUS: 34 41 38 41 38 33 30 30 30 30 30 30 30 32 35 34 [4A8A830000000254]
713: Jun 17 09:06:23.855: RADIUS: 45 45 32 43 43 41 42 3B 33 36 53 65 73 73 69 6F [EE2CCAB;36Sessio]
714: Jun 17 09:06:23.855: RADIUS: 6E 49 44 3D 67 72 65 78 70 33 31 32 61 64 6D 2F [nID=MyComputer/]
715: Jun 17 09:06:23.855: RADIUS: 32 35 34 38 33 38 36 35 35 2F 31 38 37 35 3B [ 254838655/1875;]
716: Jun 17 09:06:23.855: RADIUS: EAP-Message [79] 8
717: Jun 17 09:06:23.855: RADIUS: 01 44 00 06 0D 20[ D ]
718: Jun 17 09:06:23.855: RADIUS: Message-Authenticato[80] 18
719: Jun 17 09:06:23.855: RADIUS: AF 6F 4C 96 0A 75 CE 3D 4B 4C 7D ED E9 A9 94 48 [ oLu=KL}H]
720: Jun 17 09:06:23.855: RADIUS(000004D5): Received from id 1645/16
721: Jun 17 09:06:23.855: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Best Answer
I don't know if you've already done this, but you have to go a step further than just creating the Auth profile. You have to apply that auth profile with an auth policy. To create the auth policy do the following.
Go to Policy / Authorization Edit – profiles –standard, select your auth profile click Done click Save