dynamic vlan assignment with nps radius server

Microsoft NPS as a RADIUS Server for WiFi Networks: Dynamic VLAN Assignment

Configuration Example Here’s an example of how to configure NPS to assign users to a VLAN based on their user group, using NPS for the authentication and authorization of users. The key to getting this to work is the use of a RADIUS element called: ‘Tunnel-PVT-Group-ID’.  This is a RADIUS attribute that may be passed back to the authenticator (i.e. the WLC or AP) by the authentication server (i.e.NPS) when a successful authentication has been achieved. There are a few other elements which need to accompany it, but this is the key element, as it specifies the VLAN number that the user should be assigned to. The other elements that need to be returned by NPS are:

• Service-Type: Framed
• Tunnel-Type: VLAN
• Tunnel-Medium-Type: 802
• Tunnel-PVT-Group-ID: <VLAN Number>

We’ll have  a look at how we specify each of these attributes in an NPS policy.  For our example, we’ll assign all ‘staff’ users to VLAN 10 and all ‘student’ users to VLAN 20.  Here is an overview of what the network might look like (this is obviously very simplified, but gives an overview of the type of thing that might be achieved):

VLAN 10 has an ACL (access control list) that allows users on this VLAN to access all systems across the school network. The ACL would generally be configured on the layer 3 switch or router that interconnects the school VLANs) VLAN 20 has an ACL which only allow access to the learning system VLAN and the Internet related services. By studying the example above, you can see that if we can control a users VLAN assignment, based on their AD group membership, we can ensure that they only receive the network access to which they are entitled (purely via their AD group membership). Also, note that this is all being done on a single SSID (“School” in this case). Now we’ll take a look at how we achieve this using NPS. NPS Configuration To configure NPS to provide the VLAN assignments outlined above, we will create 2 policies within NPS:

• School Wireless – Staff  (to assigned members of the staff AD group to VLAN 10)
• School Wireless – Students  (to assign members of the students AD group to VLAN 20)

The screen-shots below outline the configuration required. Here is the policy summary screen within NPS. Note that when configuring multiple policies, the order of the policies is important. Policies are assessed top-down, so make sure the policies that need to be hit are enabled and above any disabled polices.

Staff Policy 1. Create the policy and enable it:

2. Add the NAS type and AD group membership conditions (must be members of the staff group):

3. Select and configure an EAP type (note this may be PEAP or EAP-TLS – we’ve shown PEAP just as an example)

4. Configure the settings for this policy to assign any users which match this policy to VLAN 10:

Students Policy 1. Create the policy and enable it:

2. Add the NAS type and AD group membership conditions: (must be members of the students group to match this policy)

4. Configure the settings for this policy to assign any users which match this policy to VLAN 20:

Once NPS has been configured with policies similar to those shown above, users can be dynamically assigned to an appropriate VLAN based on their AD group membership.  As we’ve already discussed, this provides great benefits in reducing additional overheads associated with multiple SSIDs on a WiFi network. In addition, it simplifies user wireless management by allowing all users to be configured with a single wireless client profile, with their access being configured via Microsoft AD. One caveat to note when trying to use this technique is that all users must be using the same security mechanisms to join the SSID. For instance, all users must be using 802.1x (EAP) – you can’t have a mix of PSK & 802.1x authenticated devices on the same SSID. Generally, they should also be using the same WPA version (i.e. WPA or WPA2).

Related Articles

How to use openpath mobile pass (avigilon alta), integrate your existing network policy server (nps) infrastructure with azure ad multi-factor authentication, how to find out who the user profile disk belongs to terminal server rds, how to sign up and use chatgpt, sage 50 payroll – change database path, generate a report of all passwords for all cameras on your milestone xprotect vms., leave a reply cancel reply.

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Power by IT Capture

Meraki Community

• Community Platform Help
• Contact Community Team
• Meraki Documentation
• Meraki DevNet Developer Hub
• Meraki System Status
• Technical Forums

802.1X /w Dynamic VLAN Assignment

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page

• Mark as New
• Report Inappropriate Content
• All forum topics
• Previous Topic

• New April 15: Share your feedback and snag some swag!
• April 5: Recognizing the March 2024 Members of the Month
• April 1: And we're live! New community look & feel is here!
• Interfaces 218
• Layer 2 233
• Layer 3 167
• Community guidelines
• Cisco privacy
• Khoros privacy
• Terms of service

Networking | Cloud | DevOps | IaC

Network Device Management with RADIUS Authentication using Windows NPS

Technologies Used In Our Scenario today to deploy Network Device Management with RADIUS Authentication using Windows NPS are the following;

• Microsoft Windows Server 2012 R2: Network Policy Server

Network Equipment

• HP Aruba 2920
• Cisco Catalyst 2960
• Cisco ASA 5505 Firewall

You have heard many say AAA is the best security model for user access and management to network devices. Well, it is and as a good professional practice, securing network devices using the Triple A process meets many best security practices of our day.

Authentication

Authentication is the first process which provides a way of identifying a user ho requires access to network resource, typically by having the user enter a valid user name and password before access is granted. The process of authentication relies on each user requiring access to having a unique set of criteria for gaining the appropriate access desired. The AAA server which in our case is the Microsoft Network Policy Server compares a user’s authentication credentials with the user credentials stored in a database which in our case is the Windows Active Directory. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Authorisation

Now that the user has been successfully authenticated, a user must gain authorisation for doing certain tasks. After logging into a network device for instance, the user may try to issue commands. The authorisation process determines whether the user has the authority to issue such commands. Authorisation simply is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorisation occurs within the context of authentication. Once you have authenticated a user, they may be authorised for different types of access or activity.

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorisation, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) which we have used the Microsoft NS server for in our deployment.

Network Device Management with RADIUS Authentication using Windows NPS Step by Step Guide.

Step 1: Configure Active Directory Infrastructure

• Create New Security Group on Active Directory

Add Network Administrators to Group Created

Configure NPS Server : IEEE 802.1X Authentication and Dynamic VLAN Assignment

Step 2: Configure RADIUS Infrastructure

• RADIUS Clients
• Connection Request Policies
• Network Policies

Create RADIUS Client

Create RADIUS Client and Enable RADIUS Standard

Create Network Policy

Create Policy – Conditions

Then, in the Network Policies section create a new authentication policy. Enter its name, e.g., Network Switch Auth Policy for Network Admins. Create two conditions: in the first one, Windows Groups, specify the domain group, which members can get authentication (the accounts of the network administrators are in the AD Network Admins group in our example). The second condition, Authentication Type, is to select PAP as the authentication protocol.

Then in the Configure Authentication Methods window, uncheck all authentication types, but for Unencrypted authentication (PAP. SPAP).

Create Policy Constraints – Authentication Methods

Create Policy Settings – Standard Attributes

Framed-Protocol: PPP Service-Type: Administrative

In the Configure Settings window, change the value of the Service-Type attribute to Administrative.

Network Policy Condition

Create Connection Request Policy

Step 3: Configure Network Devices for RADIUS Authentication

For Cisco Devices – Create a Network Policy like the above but additionally include the following setting.

Under Vendor Specific we need to add to a Cisco-AV Pair to tell the router to go to privilege level 15, select next when you add the “shell:priv-lvl=15” in the Cisco-AV.

Configuring AAA on Cisco IOS

Configuring AAA for Cisco ASA

Configuring AAA on HP Aruba 2920 Switch

Enable and Specify RADIUS Authentication Server

Enable SSH Login via RADIUS

Enable Web Login via RADIUS

Enable Authentication and Accounting Parameters

PS: The following command is what will get everything working for you as without it; you will get the error below;

Access denied: no user’s authorization info supplied by the RADIUS server

Golden Command to allow SSH Sessions to Switch

Verify and Troubleshoot

Check Switch RADIUS Authentication

Check Recent SSH Logins

On Microsoft NPS Server 2012 R2 – Launch Events Viewer

Check Authentication Informational Log Reporting

Check Event Logs

I hope you have enjoyed this article on Network Device Management with RADIUS Authentication using Windows NPS .

Follow the following links for further understanding of the topic:

Published in Configuring , Design , Installing and Configuring , Networking and Switching

• add multiple radius clients nps
• configure nps for cisco radius authentication
• configure radius server 2012 r2 for cisco
• how to configure nps in windows server 2012 r2
• how to configure radius server in windows 2012 server step by step
• how to configure radius server in windows 2016 server step by step
• how to setup a radius server for wireless authentication
• how to setup radius server on windows server 2012
• network policy server
• nps radius proxy step by step
• radius server configuration step by step
• setup radius server 2012 r2 for wireless
• windows server 2016 radius setup
• windows server 2016 radius step by step
• windows server 2019 network policy server

• PORTNOX CLOUD Unified Access Control Any Device. Any Data. Anywhere.

Zero Trust Network Access Control

• Cloud-native RADIUS Stand up Portnox’s cloud-native RADIUS is minutes.
• Passwordless authentication Leverage certificates for passwordless network authentication.
• Risk posture assessment Monitor the potential risk of every connected device.
• Compliance enforcement Automate device remediation & stay compliant 24/7.
• Explore Pricing

Zero Trust Conditional Access

• How does it work? Discover how to better secure your apps with Portnox.
• Passwordless authentication Bolster application access by going passwordless.
• 24/7 risk monitoring Ensure only trusted devices gain access to your apps.
• Automated remediation Automate device-based compliance enforcement.

Zero Trust Infrastructure Administration

• How does it work? Explore cloud-native TACACS+ from Portnox.
• Admin authentication Get started with simple, secure admin authentication.
• Access policy enforcement Make sure not just anyone can tinker with your infrastructure.
• Granular accounting Keep auditors at bay with cloud-native TACACS+.

Unified Zero Trust Security

• How does it work? Learn the ins and outs of the Portnox Cloud.
• Cloud-native RADIUS authentication Spin up our cloud-native RADIUS server in minutes.
• Passwordless application security Bolster application access by going passwordless.
• Zero trust network access control See and control access for every device across your network.
• Network device administration Keep auditors at bay with cloud-native TACACS+.

• Authentication
• Access Control
• Risk Monitoring
• Remediation
• IoT Security
• Guest Access

Applications

Infrastructure.

• Authorization

Integrations

• Case Studies
• Infographics
• Product Briefs
• White Papers
• Cloud Documentation

Compliance Center

Regulations, cybersecurity center.

• What is 802.1X? What are the benefits of NAC? How does zero trust work? Why go passwordless? What is IoT profiling? Explore All »
• Reseller Program
• Managed Services
• Become a Partner
• Register a Deal
• Get Started

Network Access Control , Network Security

Segmenting your network with dynamic vlan.

What is Dynamic VLAN?

VLANs (Virtual Local Area Networks) enable segmentation of the main organizational network. In practice, VLANs allow network administrators to keep devices and network resources separated despite being connected to the same physical network.

Dynamic VLAN assignment separates and isolates devices into different network segments based on the device or user authorization and their characteristics. The flow of traffic between those VLANs is governed by a firewall or another routing device which can then enforce specific network access rules.

Why Use Dynamic VLANs?

Segmenting the network is a security best practice, and in some cases is even a regulatory requirement – such as with PCI. Network segmentation is a measure that improves the effectiveness of all the current investments in other security tools, and can by itself help to prevent significant damage to critical organizational data across the network after a company has been breached.

Automating VLAN assignments and eliminating the need for manual intervention has historically been a challenge for network security teams. Today, automatic VLAN assignment is best implemented by the use of a RADIUS service, which functions as follows:

• A device connects to one of several the network access layers: wired ethernet switch or WiFi SSID
• The network access layer sends a request to the RADIUS server with the user’s credentials or certificates (using 802.1X)
• The RADIUS server sends a reply which contains attributes that provide the switch or access point with information on the device VLAN, result in properly VLAN assignment

Common Dynamic VLAN Assignment Use Cases

Network and security administrator most commonly encounter these use cases for dynamic VLAN assignment:

• The Sales & Marketing department does not need access to R&D resources, while R&D should not have access to the Finance Department resources. Using dynamic VLANs, each department will be placed in the correct VLAN with the required access.
• Devices that fail to authenticate due to wrong credentials or incorrect/expired certificate will be placed in a quarantine VLAN with internet access only.
• IP Phones using a dedicated voice VLAN and should be placed on that VLAN upon successful authentication.
• MAC bypass for devices that do not support 802.1X should be placed in their own dedicated VLAN.
• Devices that fail posture assessment (such as those without updated AntiVirus) should be placed in a quarantine VLAN with limited access.
• Employees connecting to one single WiFi SSID and get different access (VLANs) based on their authentication repository LDAP groups.

Dynamic VLAN Assignment with Portnox CLEAR

As mentioned earlier, the implementation of dynamic VLAN assignment has often been challenging for organizations since additional servers were needed on-site at the datacenter. This forced network teams to manage redundancies, complex configurations, and on-going maintenance.

To paint a clearer picture of this headache, consider this:

Take the case of connecting a new department, branch, or merely onboarding a lot of new employees at once…this can cause a surge in demand, which will in turn cause the whole network to “shutdown,” thus not accepting anyone who tries to connect.

Portnox CLEAR  is a network access control solution, deployed as a cloud service, that provides all the mentioned use cases and more. CLEAR simplifies the implementation process of dynamic VLAN assignment. CLEAR allows you to easily set-up a cloud RADIUS server in a single click, and integrate with various authentication repositories like on-premise Active Directory, Azure AD, GSuite, OKTA. Plus, you can enforce your own unique access control policy to dynamically assign users to their respective VLANs.

In addition to VLAN assignment based on credentials authorization, CLEAR also allows you to implement dynamic VLAN assignment based on risk violation. This means that even devices that have authenticated successfully to the wired or wireless network can be dynamically moved to a dedicated VLAN if they fall out of compliance.

In the diagram above:

• PCs are dynamically assigned to the VLAN based on their credentials/certificate.
• IP Phones are assigned to the VOIP VLAN.
• Printers are assigned to the printers VLAN.
• Guests devices assigned to the internet-only access/quarantine VLAN.

How it Works – Setting up Dynamic VLAN Assignment in Portnox CLEAR:

1. enable cloud radius.

In the CLEAR portal, create your one-click cloud RADIUS server: Go to  Settings > Services > CLEAR RADIUS Service , and add your RADIUS service instance:

And point your network equipment: wired switches and/or wireless controllers to work with these CLEAR Radius service details.

2. Creating an Access Control Policy – Dynamic VLAN Assignment:

In Policies > Access Control Policies , add or edit your existing access control policy, select the required access layer and add the correct VLAN ID or VLAN name for each event you want to create dynamic VLAN assignment for: successful authentication, authentication violation, risk assessment, blocked by admin. Then, map the access control policy to the relevant groups and users.

Related Reading

Move Towards Passwordless Security: Embracing Change on Identity Management Day

Common Endpoint Vulnerabilities that Create Risk for Corporate Networks

Zero Trust Adoption: The Power of User Account Control

Try portnox cloud for free today.

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!

Privacy Overview

WEBINAR 5/15 @ 12 PM EST: Deep Dive into Conditional Access

Network Guys

Share your knowledge!

How to use 802.1x/mac-auth and dynamic VLAN assignment

Hello guys! Today I want to show you how to secure your edge-switches with 802.1x and mac-authentication fallback in combination with HPE comware-based switches. The 802.1x protocol is used for network access control. For devices like printers, cameras, etc. we will use mac-authentication as a fallback. We will also use dynamic VLAN assignment for the connected ports.

Our radius server will be Microsoft NPS. You can activate this role on the Windows server:

After the installation, open the NPS console and register the radius server in your Active Directory:

add your switches or your management network as a radius-client:

the shared secret will be used in the switch configuration. In created two groups within my test environment:

• “ VLAN2-802.1x ” containing computer accounts
• “ VLAN3-MAC-Auth ” containing user accounts (username+password = mac-address of the device)

So we will now configure two network policies for our network access control:

I also configured a NAS Identifier so no other device can use the radius server. The clients will use their computer certificate so you will need a running internal certification authority. Choose PEAP only as the authentication method:

the next step is for our dynamic VLAN assignment. Dot1x devices are bound to VLAN 2:

the final dot1x configuration in the NPS:

the second network policy is for the mac-based authentication:

Comware switches are sending MAC-Auth-requests via PAP (maybe you know how to change it to CHAP):

final MAC auth profile:

for now we have built up our authentication server. Now let’s go to the switch configuration. You have global configuration parameters and parameters for each interface. The best way is to use interface-range command to be safe at your configuration. Users who cant authenticate, will be forced to VLAN 999 (quarantine VLAN with no gateway). Here are the global parameters with explanations inline:

now we will configure the interfaces: Added 2 entries

the last part is to configure all windows clients to send 802.1x auth data to the cable network. I’ve done this via a global group policy. You can find the settings under Computer Configuration / Policies / Windows Settings / Security Settings / Wired Network (IEEE 802.3) Policies:

So how does a working 802.1x-auth looks like?

%Jan 3 01:59:59:531 2013 edge-switch-01 DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/10-MACAddr=0023-2415-42a3-AccessVLANID=1- AuthorizationVLANID=2 -Username= host/PC123.mycompany.local ; User passed 802.1X authentication and came online.

Successful Mac-Authentication of a printer:

%Jan 3 01:31:28:782 2013 de-pad-l19-edg01 MACA/6/MACA_LOGIN_SUCC: -IfName=GigabitEthernet1/0/9-MACAddr=0017-c82d-e9bf-AccessVLANID=1- AuthorizationVLANID=3 -Username= 0017c82de9bf -UsernameFormat=MAC address; User passed MAC authentication and came online.

I tried to draw a flow chart which shows the authentication process, I hope it’s ok for you :)

Do you have questions? Feel free to write them into the comments and I will try to answer.

Have a nice and sunny day!

/edit: If you can’t see success and failure events, follow this instruction:  NPS / Radius Server is not logging

/edit 2018-05-14: I corrected the global and interface configuration, we had problems with the old configuration

12 Responses

Thanks for this, I need to setup dynamic VLAN assignment in the near future but for Juniper equipment.

This at least gives me a good starting point, thanks for the write up.

Many thanks for the perfect tutorial on How to use 802.1x/Mac-Auth and dynamic VLAN assignment. Many of us can take help from it. Really nice.

Nice write-up. This was a great starting point for configuring the base for dynamic polices. Thanks!

hi Mike, how ‘s about hybrid port with voice-vlan? does it work?

thanks Tung Duong

we had several problems with this config, currently we are investigating hyprid ports with “port security” command. I will update this post if we have prooved this version.

Can you tell me why I would do this over conventional static VLANs? What are the benefits radius dynamic VLANs?

we have customers which want to divide the network for clients, printers and “special devices”. So you have different group/radius-policies to directly place the devices in the right VLAN. Dynamic VLAN is only a bonus feature which you can use. Of course, you can use only the 802.1x and Mac authentication for security purpose.

I’m on the desktop side of things, so apologies if I use any incorrect terminology here.

Our Infrastructure team are looking at introducing 8021x in our schools. They have a test setup where all 8021x devices pick up a data centre VLAN regardless of which building they’re in – eg 10.100.50.

Each building WIRED has its own unique IP – SchoolA=10.120, SchoolB = 10.130 and so on.

I’ve asked if the 8021x setup can be where 8021x devices in SchoolA will get 10.120.50; SchoolB will get 10.130.50

This would allow us to easily determine which building LaptopA actually is, in the same way as we can with our wired desktops. It also saves on SCCM boundary issues causing applications/updates to be pulled over the WAN rather than the LAN.

It’s been suggested that this may not be possible. Could someone confirm this?

Thanks in advance.

Hello! This is of course possible!

My idea (with examples):

SchoolA=10.120 (Location: Chicago) SchoolB=10.130 (Location: Dallas)

So at Chicago you will have VLAN 333, every device is getting an IP address with 10.120.x.x. At Dallas every device in VLAN 333 is getting an IP address with 10.130.x.x. So the VLAN ID “333” is the same at every school but the DHCP scope and default gateway has it’s own address. So the device is getting the VLAN 333 at every location but another IP address. It’s very simple.

It’s not working if all schools are connected via Layer2 so VLAN333 can’t be a “standalone VLAN” at each geographical location.

Ask me any questions, I will try to help you.

• Pingback: 802.1x, MAC-Authentication and VLAN assignment at ProCurve/aruba Switches – Network Guy
• Pingback: Port Auth, Dynamic VLAN and Radius | samuelnotes
• Pingback: HPE Comware problem with mac authentication and printer - Network Guy

Leave a Reply Cancel reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Certificates

Post Categories

Post archives, recent posts.

• Sophos UTM 9.712-13 HA update problem 14. November 2022
• Sophos UTM 9.712-12 update released 24. August 2022
• Aruba OS Switch automatic vlan assignment for aruba APs 5. May 2022
• Sophos UTM 9.711-5 update released 22. April 2022
• Sophos UTM 9.710-1 update released 20. March 2022

Recent Comments

• Sophos Ssl Vpn Client Anmeldung - Login and Portal on Auto-Logon with Sophos SSL VPN Client (OpenVPN)
• Russell on Install Sophos UTM from USB Stick
• arno on Problems with incoming mails
• GigaTech IT on Installing Realtek Driver on ESXi 6.7
• Sophos User Portal Login Ssl Vpn - Online Login on Auto-Logon with Sophos SSL VPN Client (OpenVPN)

Franky’s Web  Website from my friend Frank. News and Tricks about Microsoft products, primarly Exchange Server

Copyright by networkguy.de

Imprint · Privacy Policy

• Skip to content
• Skip to search
• Skip to footer

Security Configuration Guide, Cisco IOS XE 17.14.x (Catalyst 9500 Switches)

Bias-free language.

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Controlling Switch Access with Passwords and Privilege Levels
• Configuring Login Block
• Configuring Authentication

Configuring Authorization

• Configuring Accounting
• Configuring Local Authentication and Authorization
• Configuring AAA Authorization and Authentication Cache
• Configuring AAA Dead-Server Detection
• Configuring TACACS+
• Configuring RADIUS
• Configuring RadSec
• Configuring RADIUS Server Load Balancing
• Configuring VLAN RADIUS Attributes
• Device Sensor
• Configuring Kerberos
• Configuring MACsec Encryption
• Configuring Secure Shell
• Secure Shell Version 2 Support
• SSH Support Over IPv6
• Configuring SSH File Transfer Protocol
• X.509v3 Certificates for SSH Authentication
• SSH Algorithms for Common Criteria Certification
• Configuring Secure Socket Layer HTTP
• Object Groups for ACLs
• Configuring Reflexive Access Lists
• Configuring IP Source Guard
• Configuring Dynamic ARP Inspection
• Configuring IPv6 First Hop Security
• Configuring Switch Integrated Security Features
• Configuring IEEE 802.1x Port-Based Authentication

IEEE 802.1X VLAN Assignment

• Web-Based Authentication
• Port-Based Traffic Control
• Port Security
• Configuring Control Plane Policing
• Configuring Lawful Intercept
• Configuring Authorization and Revocation of Certificates in a PKI
• Source Interface Selection for Outgoing Traffic with Certificate Authority
• Source Interface and VRF Support in LDAP
• Configuring IPv6 Support for LDAP
• Secure Operation in FIPS Mode
• Troubleshooting Security

Chapter: IEEE 802.1X VLAN Assignment

Prerequisites for ieee 802.1x vlan assignment, restrictions for ieee 802.1x vlan assignment, ieee 802.1x authentication with vlan assignment, enabling aaa authorization for vlan assignment, enabling ieee 802.1x authentication and authorization, specifying an authorized vlan in the radius server database, example: enabling aaa authorization for vlan assignment, example: enabling 802.1x authentication, additional references for ieee 802.1x port-based authentication, feature history for ieee 802.1x vlan assignment.

The IEEE 802.1X VLAN Assignment feature is automatically enabled when IEEE 802.1X authentication is configured for an access port, which allows the RADIUS server to send a VLAN assignment to the device port. This assignment configures the device port so that network access can be limited for certain users.

The following tasks must be completed before implementing the IEEE 802.1X VLAN Assignment feature:

IEEE 802.1X must be enabled on the device port.

The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs).

EAP support must be enabled on the RADIUS server.

You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off. If you do not configure the IEEE 802.1X supplicant, an EAP-logoff message is not sent to the switch and the accompanying accounting Stop message is not sent to the authentication server. See the Microsoft Knowledge Base article at the location http://support.microsoft.com and set the SupplicantMode registry to 3 and the AuthMode registry to 1.

Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests. The authentication method list must be enabled and specified. A method list describes the sequence and authentication method to be queried to authenticate a user. See the IEEE 802.1X Authenticator feature module for information.

The port must be successfully authenticated.

The IEEE 802.1X VLAN Assignment feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.

The following ISR-G2 routers are supported:

The following cards or modules support switch ports:

Enhanced High-speed WAN interface cards (EHWICs) with ACL support:

EHWIC-4ESG-P

EHWIC-9ESG-P

High-speed WAN interface cards (HWICs) without ACL support:

HWIC-4ESW-P

HWIC-9ESW-P

The IEEE 802.1X VLAN Assignment feature is available only on a switch port.

The device port is always assigned to the configured access VLAN when any of the following conditions occurs:

No VLAN is supplied by the RADIUS server.

The VLAN information from the RADIUS server is not valid.

IEEE 802.1X authentication is disabled on the port.

The port is in the force authorized, force unauthorized, unauthorized, or shutdown state.

Assignment to the configured access VLAN prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error. Examples of configuration errors include the following:

A nonexistent or malformed VLAN ID

Attempted assignment to a voice VLAN ID

When IEEE 802.1X authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.

If the multihost mode is enabled on an IEEE 802.1X port, all hosts are placed in the same VLAN (specified by the RADIUS server) as the first authenticated host.

If an IEEE 802.1X port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN configuration does not take effect.

This feature does not support standard ACLs on the switch port.

Information About IEEE 802.1X VLAN Assignment

The AAA authorization feature is used to determine what a user can and cannot do. When AAA authorization is enabled, the network access server uses information retrieved from the user profile that is located either in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.

Device ports support IEEE 802.1X authentication with VLAN assignment. After successful IEEE 802.1X authentication of a port, the RADIUS server sends the VLAN assignment to configure the device port.

The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the supplicant connected to the device port.

How to Configure IEEE 802.1X VLAN Assignment

AAA authorization limits the services available to a user. When AAA authorization is enabled, the device uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the device and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification.

You must assign the following vendor-specific tunnel attributes in the RADIUS server database. The RADIUS server must return these attributes to the device:

[64] Tunnel-Type = VLAN

[65] Tunnel-Medium-Type = 802

[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value “VLAN” (type 13). Attribute [65] must contain the value “802” (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1X-authenticated user.

Configuration Examples for IEEE 802.1X VLAN Assignment

The following example shows how to enable AAA Authorization for VLAN assignment:

The following example shows how to enable 802.1X authentication on a device:

The following show dot1x command output shows that 802.1X authentication has been configured on a device:

Standards and RFCs

Technical assistance.

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn .

Was this Document Helpful?

Contact Cisco

• (Requires a Cisco Service Contract )

• Contact Sales

IPv6 Support on MX Security & SD-WAN Platforms [Core Fundamentals]

• Last updated
• Save as PDF

Note:  IPv6 is an ongoing cross-product initiative for Meraki as IPv4 addresses are being exhausted and with more hosts such as IoT devices requiring addressing, IPv6 provides a new structure to accommodate a larger number of hosts. 

This article describes general information on IPv6 Support on MX Security & SD-WAN Platforms. For more information on compatible devices, please see our  IPv6 Device Compatibility  documentation.

Overview 

This document describes the IPv6 functionality and configuration available on the MX Security & SD-WAN Platforms. It will include information such as: supported MX and teleworker models, minimum firmware, and how to configure and use IPv6 on a network.

• MX cannot currently function in a native IPv6-only environment.  It is recommended that dual-stack is implemented in order to leverage IPv6 functionality and management.

High-availability (HA) and template deployments are not supported at this time.

If a feature or functionality is not mentioned in this KB article, it is not yet supported for IPv6

Minimum Firmware

MX 17.5+ firmware is required for IPv6 functionality on MX Security & SD-WAN Platforms.

Supported Models

• Z3, Z3C, MX64, MX64W, MX65, MX65W, MX67, MX67W, MX67C, MX68, MX68W, MX68CW, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX450.
• All current MX/Z models listed on our website here .
• Passthrough mode/One-Arm Concentrator mode currently only supports DHCPv6-NA, SLAAC or Static IP address assignment for IPv6 assignment on the WAN interface (including vMX-S/M/L platforms).
• For cellular support, only the MX67C and MX68CW integrated cellular models are supported.

Terminologies

DHCPv6 IA_NA (aka DHCPv6-NA)  - Dynamic Host Configuration Protocol for IPv6 used to assign Global IPv6 addresses

DHCPv6-PD - Dynamic Host Configuration Protocol for IPv6 Prefix Delegation is used to assign network prefixes from an ISPs DHCPv6 server to customer’s edge routers

SLAAC - Stateless Address Autoconfiguration

PPPoE - Point-to-Point Protocol over Ethernet

Origin - The source for which an IPv6 Prefix is configured/assigned originates from and routes via

GUA - Global Unicast Address

ULA - Unique Local Address

Independent Prefix - Provider Independent address space

Prefix shortage - Refers to Prefix Starvation and this occurs when the MX detects it does not have enough prefixes from a given WAN or manual configuration to assign a /64 prefix to each IPv6 enabled VLAN

Feature set

All major functionality and configuration topics are hyperlinked and broken down in their respective documentation: 

Auto (DHCP6)

Auto (Stateless)

PPPoE (Stateless)

PPPoE (Static)

Manual (Static)

Cellular (Stateless) 

LAN  - Dual-stack LAN operations complemented by WAN simplicity. Currently, MX Security & SD-WAN Platforms support the following LAN features:  

Auto (DHCPv6-PD)

Manual Prefixes (Auto delegation)

Manual Prefixes (VLAN override)

Cellular (with ULA and NAT)

Dynamic VLAN Objects

Link-Local and SNMC Visibiltiy

Recursive DNS Server (RDNSS)

Routing  - Dual-stack routing operations. Currently, MX Security & SD-WAN Platforms support the following routing features:

Uplink Selection

Dynamic routing for VPN concentrator mode

Static Routes

Global Addresses

Link Local Addresses

VPN  - Meraki AutoVPN dual-stack operations. Currently, MX Security & SD-WAN Platforms support the following VPN features:

One-Arm / Passthrough Mode

Non-Meraki VPN

AnyConnect VPN

Firewall Rules - Layer 3 dual-stack firewall operations. Currently, MX Security & SD-WAN Platforms support the following firewall features:

Layer 3 Inbound Firewall Rules

Layer 3 Outbound Firewall Rules

Layer 3 Cellular Failover and Inbound Cellular Firewall Rules

Organization-wide Layer 3 Site-to-site VPN Outbound Firewall Rule

• Advanced Malware Protection (AMP)
• Threat Grid   

Monitoring and Reporting  - Dual-stack visibility with monitoring and reporting tools. Currently, MX Security & SD-WAN Platforms support the following monitoring and reporting tools:

IPv6 Prefix table

Route Table 

AutoVPN participants table

Client Tracking

Addressing/VLAN updates

Prefix starvation

Enhanced Route Table Page

MX Uplink Loss and Latency

Local Status Page  - Dual-stack local device management. Currently, MX Security & SD-WAN Platforms support the following local status page features:

Upgrade and Rollback behaviours

Downgrading firmware to MX 16 and prior removes all IPv6 configuration and information from the network.  Hence, once the network is upgraded to MX17.3 or higher again, all previously set IPv6 configurations are lost. Prior to the downgrade, you will see the following banners and alerts:

Firmware downgrade warning:

Firewall page warning:

Monitoring:

Return current delegated IPv6 prefixes on an appliance 

GET /devices/{serial}/appliance/prefixes/delegated

• GET /devices/{serial}/appliance/prefixes/delegated/vlanAssignments
• GET /networks/{networkId}/appliance/prefixes/delegated/static
• POST  /networks/{networkId}/appliance/prefixes/delegated/static
• GET /networks/{networkId}/appliance/prefixes/delegated/static/{staticDelegatedPrefixId}
• PUT /networks/{networkId}/appliance/prefixes/delegated/static/{staticDelegatedPrefixId}
• DELETE  /networks/{networkId}/appliance/prefixes/delegated/static/{staticDelegatedPrefixId}
• GET /devices/{serial}/appliance/uplinks/settings
• PUT /devices/{serial}/appliance/uplinks/settings
• GET /networks/{networkId}/appliance/vlans/{vlanId}
• POST /networks/{networkId}/appliance/vlans
• PUT /networks/{networkId}/appliance/vlans/{vlanId}