Recommended Posts

Is it possible for a radius server to assign vlan dynamically on a switch port that is on a dummy vlan before it gets authenticated?

 

What I mean if a domain PC connects to a switch port assign vlan 3180 - 3189 (these are client vlans), if it is a printer assign it to vlan 3017 and if it is a guest user assign it to vlan guest and send it to a web portal for registration. Is this even possible or I am thinking way out of the box?

Link to comment
https://www.neowin.net/forum/topic/1354172-dynamic-vlan-assignment-with-radius/
Share on other sites

There are many ways to assign vlan based upon criteria - mac, auth to radius sure.. What switch(es) do you have?  Your 30$ smart switch not going to be able to do this sort of thing ;)

 

Sounds like your wanting to implement a NAC... Check out https://packetfence.org/

 

If your a cisco shop it would be ICE.. But not free ;)  https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html

Great, then what I am trying to do will work somehow. Haha, my switch cost almost 1000$ :p

 

I am going to use ISE and what I want to do is: Dot1X and MAB, but if the user is not found in the AD or ISE DB should be redirected to a guest web portal for registration. Now if when I assign the port to a specific vlan for dot1x it works fine, i.e client vlan, but it will not change vlan to guest vlan after the registration is done.

 

So now I want to assign all ports to a dummy vlan i.e 999 and after switch port is authenticated for domain pc's it should move them to client vlan and the same for printer vlan. Guest should be moved from dummy vlan to guest vlan after the registration is done.

This is a common setup where device gets dumped into restricted vlan until they auth in some manner, fill out info in a captive portal could sure be one of those options.

 

I am quite sure ISE can do that... I would open up a tac case with cisco if your having problem with specific configuration option not working etc,

Good to know it is possible, have you done this before?

Yeah, I am sure ISE can do it. The problem is that ISE 2.3 they have re-done everything and there aren't a lot of documentation so read and the older ones aren't really applicable.

 

I will open a tac case, but wanted to make sure that it is possible from radius perspective.

Sure when I get to work in the morning I will post up some info..

 

Got called so a bit early this morning.. Freaking circuit can not stay up for more 30 days at a time without a freaking issue... Arrrggh ;)

  On 23/01/2018 at 22:27, nabz0r said:

Is it possible for a radius server to assign vlan dynamically on a switch port that is on a dummy vlan before it gets authenticated?

 

What I mean if a domain PC connects to a switch port assign vlan 3180 - 3189 (these are client vlans), if it is a printer assign it to vlan 3017 and if it is a guest user assign it to vlan guest and send it to a web portal for registration. Is this even possible or I am thinking way out of the box?

Expand  

 

 

Here is what happens in my scenario.

Vlan 1 is an unconfigured vlan.  Vlan1 is essentially shut down. 

If an unauthenticated computer/device somehow holds the port open, that computer/device resides on vlan1.  Vlan1 has no IP or subnet, it routes no where.  Most of the time, if a computer can't auth the port goes into an administrative shutdown state.  If I plug my fluke LinkRunner in, it holds the port in an online status and it gives me the port info and the configured vlan of 1.

 

If a computer gets authenticated, Radius then pushes out what vlan that port can communicate on.

 

I think that is the scenario that you are looking for...a dummy vlan (The default vlan of the switch, which should always remain unconfigured).

 

802.1x doesn't really support a "portal".  You can configure the switch to use the default vlan for all else to belong to a vlan that has portal access (your default vlan for the access port)....

 

in my switch I would do this as an example:

int gi1/0/1

switchport mode access

switchport access vlan 3017

authentication order

authentication port control auto

mab

dot1x pae authenticator

spanning-tree portfast edge

 

This would put all unauthenticated computers on vlan 3017

 

It kind of urks me a little that the 2960x series has a different state of cli instructions, how the x series has depreciated commands where the xr series they continue to live and breathe in.

For you, you may want to look at this and look at the guest vlan settings or 802.1x Authentication with Restricted VLAN:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_010000.html#ID737

 

@BudMan, I actually have seen that link and he uses NPS, not ISE. I have figured it out and my ISE is now doing all the job with a little help of Ative directory and I am going to use ISE for authentication and command authorization based on AD group for network department, today we're using local username which is NO good.

 

@sc302, Yes, that is the scenario I was looking for. All switch ports are assigned a dummy vlan, though not vlan 1 and when a device gets authenticated ISE will put it in a respective vlan. I even have succeeded with the portal through ISE for guest users/pc. Guests connect to a port, they get redirected to guest portal for registration and then login and have only internet access. As for the portal design, Cisco provides Portal Builder isepb.cisco.com and when you're done with the design, you import it into your ISE like a boss. :D

 

This was a big project and I am happy that everything worked out as I wanted though I've grown 50 new gray hair because of this hehe. If anyone is interested on the product and wants to know how to configure dot1x, man or guest authentication I'd be happy to help, just PM me or write here.

 

My switch config:

interface GigabitEthernet1/0/22
 description GARDSHUSET RICOH AFICIO C430DN
 switchport access vlan 666
 switchport mode access
 switchport nonegotiate
 power inline never
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session closed
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 service-policy type control subscriber DOT1X_MAB_WEBAUTH_POLICY

 

Polic-map (class-map is also configured)

se08-as11#sh policy-map type control subscriber DOT1X_MAB_WEBAUTH_POLICY
DOT1X_MAB_WEBAUTH_POLICY
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
  event authentication-failure match-first
    5 class DOT1X_FAILED do-until-failure
      10 terminate dot1x
      20 authenticate using mab priority 20
    10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
      10 clear-authenticated-data-hosts-on-port
      20 activate service-template CRITICAL_AUTH_VLAN
      30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
      40 authorize
      50 pause reauthentication
    20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
      10 pause reauthentication
      20 authorize
    30 class DOT1X_NO_RESP do-until-failure
      10 terminate dot1x
      20 authenticate using mab priority 20
    40 class MAB_FAILED do-until-failure
      10 terminate mab
      20 authentication-restart 60
    60 class always do-until-failure
      10 terminate dot1x
      20 terminate mab
      30 authentication-restart 60
  event agent-found match-all
    10 class always do-until-failure
      10 terminate mab
      20 authenticate using dot1x retries 2 retry-time 0 priority 10
      30 authenticate using dot1x priority 10
  event aaa-available match-all
    10 class IN_CRITICAL_VLAN do-until-failure
      10 clear-session
    20 class NOT_IN_CRITICAL_VLAN do-until-failure
      10 resume reauthentication
  event authentication-success match-all
    10 class always do-until-failure
      10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
  event violation match-all
    10 class always do-until-failure
      10 restrict
  event inactivity-timeout match-all
    10 class always do-until-failure
      10 clear-session

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Reddit takes legal action, says Anthropic trained Claude on Reddit posts without permission by David Uzondu Reddit has filed a complaint against Anthropic, alleging the AI company straight-up stole its content to train AI models, including the Claude chatbot, without paying a dime. The lawsuit, lodged on June 4, 2025, in San Francisco, accuses Anthropic of repeatedly violating Reddit's User Agreement, which explicitly prohibits unauthorized commercial exploitation and automated scraping of its platform. The data on Reddit seems to be very valuable, seeing as the platform is already making bank licensing its content to other big AI players like Google and OpenAI, as mentioned in its complaint. These deals are reportedly worth tens of millions annually, so it's understandable why Reddit would be ###### if Anthropic was just taking the goods for free. Reddit has been quite clear that while its platform is open for community, it has rules, and commercial outfits cannot just waltz in and use user-generated content to build billion-dollar enterprises without permission or compensation. According to Reddit, Anthropic has been scraping its content since at least December 2021, ignoring technical measures like robots.txt designed to prevent such automated access. Reddit claims that in July 2024, Anthropic falsely stated it had stopped its bots from accessing Reddit, when audit logs allegedly showed Anthropic's bots hit Reddit's servers over a hundred thousand more times in the following months. The complaint on page 5 even includes a screenshot of Reddit's lawyers chatting with Claude, where the AI "confirms" it was trained on Reddit data. Now, we don't know how true this is, given the fact that LLMs hallucinate a lot. Reddit's legal filing paints Anthropic as a company with "two faces": one that publicly preaches about ethical AI and respecting boundaries, and another that privately ignores rules to line its pockets. Reddit is not holding back in what it is asking the court to do to Anthropic. The company demands significant monetary compensation, aiming to recover any profits Anthropic made from using Reddit's data, get repaid for its own financial losses, and it is also seeking punitive damages, looking to punish Anthropic for what Reddit describes as willful and malicious conduct. In addition to that, the company is also seeking an injunction designed to permanently stop Anthropic from using any Reddit data. This order would also compel Anthropic to delete all Reddit content from its systems and pull any AI technology, like its Claude chatbot, from commercial use if it was developed using this disputed data. On top of all that, Reddit wants Anthropic to cover all its legal expenses, including attorneys' fees and court costs.
    • I'm just thinking out loud for a second...could it be the cookie prompt that kicks up the adblock message? The reason I ask is that on Firefox (ad-block enabled but not for Neowin) I don't get the cookie consent option. But if I open Chrome (ad-block disabled) and go to the Neowin I get the cookie banner and then it's all fine. Some form of conflict of interest between the banners? It's probably nothing, but that's what I have just noticed.
    • SoundSwitch 6.14.1 by Razvan Serea SoundSwitch is a Windows app that makes switching your sound devices super easy. Normally, changing speakers or microphones means clicking through annoying menus. With SoundSwitch, you just press a shortcut key (like Ctrl + Alt + F1) — and it switches to the device you want. You can set different keys for speakers, headphones, microphones, or even groups of devices. It also lets you mute your mic with a hotkey and shows a clear banner so you know it's muted. It runs in the background, shows up in your taskbar, and starts with Windows if you want. It’s perfect if you use multiple audio devices and get tired of clicking around every time you want to change one. SoundSwitch features: Customizable Hotkeys: Assign specific key combinations to switch between audio devices quickly. ​ Playback and Recording Device Switching: Toggle between selected playback and recording devices without navigating through system menus. ​ Microphone Mute Toggle: Use hotkeys to mute or unmute the default microphone. ​ Persistent Mute Notification: Displays a compact banner indicating the microphone's mute state, which remains visible until the microphone is unmuted. ​ Profile Management: Create profiles to switch between specific combinations of playback and recording devices using designated hotkeys. ​ Command Line Interface (CLI): Control SoundSwitch through command-line commands for device switching, microphone mute control, and profile management. ​ Auto-Start with Windows: Option to launch SoundSwitch automatically upon system startup. ​ Multi-Language Support: Includes translations for various languages, such as Tamil. ​ Notification Customization: Choose the type of notifications displayed for device switching and mute status. ​ Support for Various Hotkey Combinations: Accepts single keys like PrintScreen, Pause, Home, End, and function keys as hotkeys. ​ System Tray Integration: Access settings and perform device switching directly from the system tray icon. ​ Device Grouping: Organize multiple devices into groups for streamlined switching. ​ User-Friendly Interface: Provides an intuitive setup and configuration process for users. ​ Open-Source Development: Available on GitHub for community contributions and transparency. ​ Regular Updates: Actively maintained with new features and bug fixes. ​ SoundSwitch 6.14.1 changelog: Bug Fixes settings: fix opening settings crashing the application when using CLI or opening SoundSwitch again (b3dca74) Languages Amharic: Added About translation using Weblate (8a40dab) Japanese: Translated About using Weblate (3541994) Japanese: Translated Settings using Weblate (ca5b2fe) Japanese: Translated Settings using Weblate (39a2340) Japanese: Translated Tray Icon using Weblate (1286b92) Japanese: Translated Update Download using Weblate (1c2c658) Norwegian Bokmål: Translated Settings using Weblate (5aaf243) Portuguese: Translated Settings using Weblate (e11f18d) Swedish: Translated Settings using Weblate (8b7b738) Download: SoundSwitch 6.14.1 | 45.4 MB (Open Source) View: SoundSwitch Website | Github | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Wow, the usual crowd is out in full force again — the trolls who think sarcasm is insight, the doom prophets who scream 'web apps = surveillance', and the armchair devs who still think Outlook 2003 was peak tech. Here’s a wild idea: maybe evaluate an app on what it does instead of what your paranoia imagines it’s doing. The new Outlook is fast, clean, and tightly integrated. No, it’s not perfect — what app is? But if your main tech critique is 'It’s different and Microsoft is evil', you’re not reviewing software. You’re just rehearsing your trust issues. Don't like it? Cool. But at least bring something to the table besides tired one-liners and Chicken Little routines. Some of us actually use this stuff and prefer practical feedback over pointless whining.
    • And they will only last thousands of years underground we don’t know where.
  • Recent Achievements

    • Reacting Well
      James courage Tabla earned a badge
      Reacting Well
    • Apprentice
      DarkShrunken went up a rank
      Apprentice
    • Dedicated
      CHUNWEI earned a badge
      Dedicated
    • Collaborator
      DarkShrunken earned a badge
      Collaborator
    • Rookie
      Pat-Garrett went up a rank
      Rookie
  • Popular Contributors

    1. 1
      +primortal
      341
    2. 2
      snowy owl
      167
    3. 3
      +FloatingFatMan
      163
    4. 4
      ATLien_0
      161
    5. 5
      Xenon
      128
  • Tell a friend

    Love Neowin? Tell a friend!