I am trying to test out dynamic VLAN assignment with a Clearpass NAC solution to my MS510TX switches. I see the switches forward the EAP messages to Clearpass but unfortunately whatever attributes I send back to the switch, it refuses to accept the attributes.
First I responded with this:
Radius:IETF:Tunnel-Medium-Type: 802
Radius:IETF:Tunnel-Private-Group-Id: 25
Radius:IETF:Tunnel-Type: VLAN
The switch responded with the following logs:
08 Mar 2025 17:54:04 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID
08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
08 Mar 2025 17:54:04 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
I deciced the remove the two attributes Medium-Type and Tunnel-Type. Unfortunately then I received the error below :
08 Mar 2025 18:12:26 UTC-5:00%SEC-W-SUPPLICANTUNAUTHORIZED: username kees with MAC e0:d5:5e:e2:92:7d was rejected on port g3 because Radius accept message does not contain VLAN ID
08 Mar 2025 18:12:26 UTC-5:00%AAAEAP-W-RADIUSREPLY: Invalid attribute 81 ignored - tag should be 0 or greater then 31
