Dynamic Vlan Assignment Microsoft Nps Configuration
Situation: I am trying to get 802.1X working for me. I want RADIUS server to dynamically assign VLANs to ports based on RADIUS reply attribute for particular user.
Microsoft Dynamics Crm Tool
I have an HP E2620 switch and a FreeRADIUS server. The supplicant is a Windows 8.1 machine I referred to on freeradius website.
Microsoft Nps Configuration
What I've done so far: On FreeRADIUS I created a user with such parameters: dot1xtest User-Password:= 'secret' Tunnel-Type = 'VLAN', Tunnel-Medium-Type = 'IEEE-802', Tunnel-Private-Group-ID = '100' I also tried Tunnel-Pvt-Group-ID instead, but it doesn't work on FreeRADIUS, just barks at me (I saw this on resources for configuring on Microsoft NPS, ). Also I tried values '802', 802, 6 for tunnel medium type. Also I tried to use actual VLAN name instead of VLAN-ID as Group ID value. Anyway its datatype is string. I configured the HP switch to use this RADIUS server for AAA and set this up for port 10: aaa port-access gvrp-vlans aaa authentication port-access eap-radius aaa port-access authenticator 10 aaa port-access authenticator 10 auth-vid 150 aaa port-access authenticator 10 unauth-vid 200 aaa port-access authenticator active VLANs: VLAN 100 - VLAN which I want to get after authentication. VLAN 150 - VLAN which I get now, because my config is not working VLAN 200 - Unauthorized VLAN which is used on auth. Failure Notes:.
Port 10 also has untagged VLAN 150 assigned to it: vlan 150 untagged 10. And I can't get rid of the static assignment. All VLANs listed above are present in switch's VLAN database.
Whenever I plug into this port it asks me for credentials; after I succeed with authentication it just sends me to VLAN150 and if I try to fail I get to VLAN200. I enabled 802.1X authentication on Windows connection just like described. I tried enabling GVRP - it doesn't change anything Diagnostic/show command output: Static VLAN assignment for Port 10.
Dynamic vlan assignment with radius. MICROSOFT IAS. The radius should return the value of vlan pool not the vlan. With the configuration shown i.
Hey, man, thanks! That's much appreciated! However, I did everything to enable the dot1x on Windows.
I notice you chose VLAN 100 as default untagged VLAN on the switchport you're trying to connect to. It works for me that way too. I get an untagged VLAN configured on a switchport when I succeed. But what If you set untagged VLAN for your port to 1 and try to assign VLAN 100 via RADIUS? Does that work for you? What if I have multiple different users with different Tunnel-Private-Group-Id values?
– Sep 5 '14 at 11:09. You need to add the following command: aaa port-access authenticator 10 auth-vid 150 This would tell the switch that port 10 will use the auth-vid assigned VLAN for authenticated devices unless it gets a different value from RADIUS. Without this, it will just use the configured port value and ignore any RADIUS provided VLAN assignments. I did some digging and found this tidbit in one of my saved HP docs: If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port.
How To Use Dynamics Crm
This is because both VLANs are untagged, and the switch allows only one untagged VLAN membership per-port. For example, suppose you configured port 4 to place authenticated suppli- cants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 for the duration of the client session. When the client disconnects from the port, then the port drops these assignments and uses only the VLAN memberships for which it is statically configured.