2020. 2. 16. 16:26ㆍ카테고리 없음
Switch is S5720-SII have 802.1x working and users are authenticated using RADIUS (Microsoft NPS). Can someone please help in setting up RADIUS for dynamic ACL's. The user will have limited access when unauthenticated with an ACL on the switch but we would like the user to have full internet access when authenticated by downloading an ACL from RADIUS.We have it working with Cisco switches by using the vendor specific attribute Cisco-AV-Pair with value ip:inacl#10=permit ip any any. What is the equivalent with Huawei switches?Thank you. Thank you but I've seen that document previously and it doesn't help with the RADIUS configuration.the vendor-ID for Huawei is 2011,and the specific attribute for the downloadable ACL from the RADIUS server to the users is 26-82.the format as: acl number key1 key-value1.
KeyN key-valueN permit/denythe range of the number is 10000 to 10999key1 dest-ip, dest-ipmask, tcp-srcport, tcp-dstport, udp-srcport, udp-srcport, udp-dstportfor example: acl 10008 dest-ip 10.1.1.1. Dest-ipmask 32 udp-dstport 5555 permit. Cisco switch has a Pre-Auth-ACL applied to each port limiting network access.PC's are all Windows 10 with Microsoft certificates.RADIUS Server has a Network Policy to match Windows PC's in Active Directory Group and correct certificate.This Network Policy has Cisco vendor specific attribute Cisco-AV-Pair with permit ip any anyIf 802.1x match is successful then Cisco switch applies ACL from RADIUS which overwrites the Pre-Auth-ACL on the port giving PC's full network access. This works and is the suggested method by Cisco when unauthenticated hosts require some network access, which ours do. Thank you but I've seen that document previously and it doesn't help with the RADIUS configuration.the vendor-ID for Huawei is 2011,and the specific attribute for the downloadable ACL from the RADIUS server to the users is 26-82.the format as: acl number key1 key-value1.
KeyN key-valueN permit/denythe range of the number is 10000 to 10999key1 dest-ip, dest-ipmask, tcp-srcport, tcp-dstport, udp-srcport, udp-srcport, udp-dstportfor example: acl 10008 dest-ip 10.1.1.1. Dest-ipmask 32 udp-dstport 5555 permit. Thanks, we are getting closer but the host still cannot access the internet after authentication. Please see stripped down config of our switch.
We have a Pre-Auth-ACL on the port limiting access to one subnet. Once authenticated we want the ACL specified in RADIUS using Filter-Id (ACL 3001) to overwrite the Pre-Auth-ACL. Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:. Politically sensitive content. Content concerning pornography, gambling, and drug abuse. Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacyDo not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you.
Dynamic Vlan Assignment Microsoft Nps Radius Login
For details, see '.'
Situation:I am trying to get 802.1X working for me. I want RADIUS server to dynamically assign VLANs to ports based on RADIUS reply attribute for particular user. I have an HP E2620 switch and a FreeRADIUS server.
The supplicant is a Windows 8.1 machineI referred to on freeradius website.What I've done so far:On FreeRADIUS I created a user with such parameters: dot1xtest User-Password:= 'secret'Tunnel-Type = 'VLAN',Tunnel-Medium-Type = 'IEEE-802',Tunnel-Private-Group-ID = '100'I also tried Tunnel-Pvt-Group-ID instead, but it doesn't work on FreeRADIUS, just barks at me (I saw this on resources for configuring on Microsoft NPS, ). Also I tried values '802', 802, 6 for tunnel medium type.Also I tried to use actual VLAN name instead of VLAN-ID as Group ID value. Anyway its datatype is string.I configured the HP switch to use this RADIUS server for AAA and set this up for port 10: aaa port-access gvrp-vlansaaa authentication port-access eap-radiusaaa port-access authenticator 10aaa port-access authenticator 10 auth-vid 150aaa port-access authenticator 10 unauth-vid 200aaa port-access authenticator activeVLANs: VLAN 100 - VLAN which I want to get after authentication.VLAN 150 - VLAN which I get now, because my config is not workingVLAN 200 - Unauthorized VLAN which is used on auth.
FailureNotes:.Port 10 also has untagged VLAN 150 assigned to it: vlan 150 untagged 10. And I can't get rid of the static assignment.All VLANs listed above are present in switch's VLAN database.Whenever I plug into this port it asks me for credentials; after I succeed with authentication it just sends me to VLAN150 and if I try to fail I get to VLAN200.I enabled 802.1X authentication on Windows connection just like described.I tried enabling GVRP - it doesn't change anythingDiagnostic/show command output:Static VLAN assignment for Port 10. Hey, man, thanks! That's much appreciated!
However, I did everything to enable the dot1x on Windows. I notice you chose VLAN 100 as default untagged VLAN on the switchport you're trying to connect to. It works for me that way too. I get an untagged VLAN configured on a switchport when I succeed.
But what If you set untagged VLAN for your port to 1 and try to assign VLAN 100 via RADIUS? Does that work for you? What if I have multiple different users with different Tunnel-Private-Group-Id values?–Sep 5 '14 at 11:09. You need to add the following command:aaa port-access authenticator 10 auth-vid 150This would tell the switch that port 10 will use the auth-vid assigned VLAN for authenticated devices unless it gets a different value from RADIUS. Without this, it will just use the configured port value and ignore any RADIUS provided VLAN assignments.I did some digging and found this tidbit in one of my saved HP docs:If the RADIUS server specifies a VLAN for an authenticated supplicant connected to an 802.1X authenticator port, this VLAN assignment overrides any Authorized-Client VLAN assignment configured on the authenticator port. This is because both VLANs are untagged, and the switch allows only one untagged VLAN membership per-port.
Dynamic Vlan Assignment Microsoft Nps Radius 2017
For example, suppose you configured port 4 to place authenticated suppli- cants in VLAN 20. If a RADIUS server authenticates supplicant “A” and assigns this supplicant to VLAN 50, then the port can access VLAN 50 for the duration of the client session.
When the client disconnects from the port, then the port drops these assignments and uses only the VLAN memberships for which it is statically configured.