AAA, 802.1x, Dot1x dynamic port configuration

I’m working on setting up my switch to use 802.1x for user authentication on the switch along with port authentication for the end user/endpoints. I’m running 15.2(4) on my 2960x stack. I’ve gotten the switch user auth working but I’m struggling with the dynamic vlan port assignment. Logging says its trying to use Vlan 1 which is confusing me since in my radius server (Windows Server NPS) I’ve specified VLAN 23. Here is what I’ve configured thus far:

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default none
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

interface GigabitEthernet1/0/1
description IT User Port
switchport mode access
access-session host-mode multi-host
access-session port-control auto
dot1x pae authenticator
spanning-tree portfast edge

radius server DC1
address ipv4 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxxx
radius server DC2
address ipv4 auth-port 1812 acct-port 1813
key 7 xxxxxxxxxx

Then on my radius server I have the my switch added as a Radius Client.
I have have 2 network policies, one for Switch authentication per a security group giving level 15 access and a port auth group using the following settings, (edit: i cant add more than one image):

Windows group w/ NAS Port Type Ethernet

Microsoft: Protected EAP (PEAP) with the top 4 Less secure authentication methods checked

Tunnel-Medium-Type - 802(includes all 802 media plus Ethernet canonical…)
Tunnel-Pvt-Group-ID - 23
Tunnel-Type - Virtual LANs (VLAN)

One last struggle is all the different ways to configure the port g1/0/1. With 15.2(4) there is allot of commands depreciated. For example Authentication is repalced with access-session. But not everything matches.

Anyways, any thoughts and feed back is appreciated.



A post was merged into an existing topic: AAA and 802.1X Authentication