Link to home
Start Free TrialLog in
Avatar of kamsuj
kamsujFlag for Poland

asked on

cisco catalyst port based 802.1x and ms ias

Hi,

I have a problem with cisco catalyst port based 802.1x and ms ias radius i have set authentication with:


aaa new-model
aaa authentication dot1x lista1 group radius local
interface FastEthernet0/39
 dot1x port-control auto
radius-server host XX.XXX.X.X auth-port 1812 acct-port 1813 key XXXXXXXXXX
radius-server retransmit 3


and when i try to authenticate i get the following debug message on the switch:

010961: 17w0d: dot1x-core(Fa0/39): starting
010962: 17w0d: dot1x-core(Fa0/39): control event
010963: 17w0d: dot1x-authsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
010964: 17w0d: dot1x-authsm(Fa0/39): state DISCONNECTED, event ENTRY, arg 0x0
010965: 17w0d: dot1x-core(Fa0/39): deauthorized port
010966: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=4, id=0
010967: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event ENTRY, arg 0x0
010968: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=1, id=1
010969: 17w0d: dot1x-authsm(Fa0/39): first connection attempt
010970: 17w0d: dot1x-besm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
010971: 17w0d: dot1x-besm(Fa0/39): state IDLE, event ENTRY, arg 0x0
010972: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
010973: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
010974: 17w0d: dot1x-core(Fa0/39): control event
010975: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event CONTROL, arg 0x0
010976: 17w0d: dot1x-besm(Fa0/39): state IDLE, event CONTROL, arg 0x0
010977: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
010978: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
010979: Feb 26 13:33:44: %LINK-3-UPDOWN: Interface FastEthernet0/39, changed state to up
010980: 17w0d: dot1x-core(Fa0/39): timer TX_WHEN expired
010981: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event TIMEOUT, arg 0x0
010982: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event ENTRY, arg 0x0
010983: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=1, id=1
010984: 17w0d: dot1x-authsm(Fa0/39): connection retry 1 of 2
010985: 17w0d: dot1x-besm(Fa0/39): state IDLE, event TIMEOUT, arg 0x0
010986: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event TIMEOUT, arg 0x0
010987: 17w0d: dot1x-core(Fa0/39): timer TX_WHEN expired
010988: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event TIMEOUT, arg 0x0
010989: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event ENTRY, arg 0x0
010990: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=1, id=1
010991: 17w0d: dot1x-authsm(Fa0/39): connection retry 2 of 2
010992: 17w0d: dot1x-besm(Fa0/39): state IDLE, event TIMEOUT, arg 0x0
010993: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event TIMEOUT, arg 0x0
010994: 17w0d: dot1x-core(Fa0/39): timer TX_WHEN expired
010995: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event TIMEOUT, arg 0x0
010996: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event ENTRY, arg 0x0
010997: 17w0d: dot1x-authsm(Fa0/39): exceeded maximum connection attempts
010998: 17w0d: dot1x-authsm(Fa0/39): state DISCONNECTED, event ENTRY, arg 0x0
010999: 17w0d: dot1x-core(Fa0/39): deauthorized port
011000: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=4, id=1
011001: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event ENTRY, arg 0x0
011002: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=1, id=2
011003: 17w0d: dot1x-authsm(Fa0/39): first connection attempt
011004: 17w0d: dot1x-besm(Fa0/39): state IDLE, event TIMEOUT, arg 0x0
011005: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event TIMEOUT, arg 0x0
011006: 17w0d: dot1x-core(Fa0/39): EAPOL pkt in
011007: 17w0d: dot1x-core(Fa0/39): 00:00:39:8E:C5:E2 sent EAPOL type=0, EAP code=2, id=2
011008: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event INPUT, arg 0x80C2BFD8
011009: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event ENTRY, arg 0x80C2BFD8
011010: 17w0d: dot1x-besm(Fa0/39): state IDLE, event INPUT, arg 0x80C2BFD8
011011: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event INPUT, arg 0x80C2BFD8
011012: 17w0d: dot1x-core(Fa0/39): control event
011013: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
011014: 17w0d: dot1x-besm(Fa0/39): state IDLE, event CONTROL, arg 0x0
011015: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event ENTRY, arg 0x0
011016: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
011017: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
011018: 17w0d: dot1x-core(Fa0/39): control event
011019: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
011020: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event CONTROL, arg 0x0
011021: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
011022: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
011023: 17w0d: dot1x-backend(Fa0/39): [71] starting aaa sequence
011024: 17w0d: dot1x-backend(Fa0/39): [71] relaying EAP data from supplicant
011025: 17w0d: dot1x-backend(Fa0/39): [71] starting login
011026: 17w0d: dot1x-backend(Fa0/39): [71] login user userek@domenka.pl, client ID XX-XX-XX-XX-XX-XX
011027: 17w0d: dot1x-backend(Fa0/39): [71] start_login returned FAIL
011028: 17w0d: dot1x-backend(Fa0/39): [71] cleaning up AAA context
011029: 17w0d: dot1x-core(Fa0/39): RADIUS reply (1) received
011030: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event SERVER_REPLY, arg 0x1
011031: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event SERVER_REPLY, arg 0x1
011032: 17w0d: dot1x-besm(Fa0/39): state FAIL, event ENTRY, arg 0x1
011033: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=4, id=0
011034: 17w0d: dot1x-besm(Fa0/39): state IDLE, event ENTRY, arg 0x1
011035: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event SERVER_REPLY, arg 0x1
011036: 17w0d: dot1x-core(Fa0/39): control event
011037: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
011038: 17w0d: dot1x-authsm(Fa0/39): state HELD, event ENTRY, arg 0x0
011039: 17w0d: dot1x-core(Fa0/39): deauthorized port
011040: 17w0d: dot1x-besm(Fa0/39): state IDLE, event CONTROL, arg 0x0
011041: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
011042: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped


do you have any ideas what's wrong? For my strange is the line:

011027: 17w0d: dot1x-backend(Fa0/39): [71] start_login returned FAIL

but what failed? authentication? communication with the radius server? In ias (logfiles and server events) i don't have nothing about any authentication (success or failed - nothing).

Thanks for any help,
Avatar of RPPreacher
RPPreacher
Flag of United States of America image

Should read

aaa authentication dot1x default group radius
aaa authorization network default group radius
I'm assuming you also have

#dot1x system-auth-control
Avatar of kamsuj

ASKER

in 2950 i don't have #dot1x system-auth-control
Gotcha... we are using 3550 layer 3.

Did you make the other 2 changes?
Avatar of kamsuj

ASKER

yes I have made them it worked for 2 or 3 logins and stopped. Now I get:

012762: 17w0d: dot1x-core(Fa0/39): starting
012763: 17w0d: dot1x-core(Fa0/39): control event
012764: 17w0d: dot1x-authsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012765: 17w0d: dot1x-authsm(Fa0/39): state DISCONNECTED, event ENTRY, arg 0x0
012766: 17w0d: dot1x-core(Fa0/39): deauthorized port
012767: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=4, id=0
012768: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event ENTRY, arg 0x0
012769: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=1, id=1
012770: 17w0d: dot1x-authsm(Fa0/39): first connection attempt
012771: 17w0d: dot1x-besm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012772: 17w0d: dot1x-besm(Fa0/39): state IDLE, event ENTRY, arg 0x0
012773: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012774: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
012775: 17w0d: dot1x-core(Fa0/39): control event
012776: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event CONTROL, arg 0x0
012777: 17w0d: dot1x-besm(Fa0/39): state IDLE, event CONTROL, arg 0x0
012778: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012779: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
012780: Feb 26 15:12:44: %LINK-3-UPDOWN: Interface FastEthernet0/39, changed state to up
012781: 17w0d: dot1x-core(Fa0/39): EAPOL pkt in
012782: 17w0d: dot1x-core(Fa0/39): 00:00:39:8E:C5:E2 sent EAPOL type=0, EAP code=2, id=1
012783: 17w0d: dot1x-authsm(Fa0/39): state CONNECTING, event INPUT, arg 0x80C2CD0C
012784: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event ENTRY, arg 0x80C2CD0C
012785: 17w0d: dot1x-besm(Fa0/39): state IDLE, event INPUT, arg 0x80C2CD0C
012786: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event INPUT, arg 0x80C2CD0C
012787: 17w0d: dot1x-core(Fa0/39): control event
012788: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
012789: 17w0d: dot1x-besm(Fa0/39): state IDLE, event CONTROL, arg 0x0
012790: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event ENTRY, arg 0x0
012791: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012792: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
012793: 17w0d: dot1x-core(Fa0/39): control event
012794: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
012795: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event CONTROL, arg 0x0
012796: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012797: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
012798: 17w0d: dot1x-backend(Fa0/39): [71] starting aaa sequence
012799: 17w0d: dot1x-backend(Fa0/39): [71] relaying EAP data from supplicant
012800: 17w0d: dot1x-backend(Fa0/39): [71] starting login
012801: 17w0d: dot1x-backend(Fa0/39): [71] login user user@domenka.pl, client ID 00-00-39-8E-C5-E2
012802: 17w0d: dot1x-backend(Fa0/39): [71] start_login returned GETDATA
012803: 17w0d: dot1x-core(Fa0/39): RADIUS reply (2) received
012804: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event SERVER_REPLY, arg 0x2
012805: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event SERVER_REPLY, arg 0x2
012806: 17w0d: dot1x-besm(Fa0/39): state REQUEST, event ENTRY, arg 0x2
012807: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=1, id=2
012808: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event SERVER_REPLY, arg 0x2
012809: 17w0d: dot1x-core(Fa0/39): EAPOL pkt in
012810: 17w0d: dot1x-core(Fa0/39): 00:00:39:8E:C5:E2 sent EAPOL type=0, EAP code=2, id=2
012811: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event INPUT, arg 0x80C2CD0C
012812: 17w0d: dot1x-besm(Fa0/39): state REQUEST, event INPUT, arg 0x80C2CD0C
012813: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event ENTRY, arg 0x80C2CD0C
012814: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event INPUT, arg 0x80C2CD0C
012815: 17w0d: dot1x-core(Fa0/39): control event
012816: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
012817: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event CONTROL, arg 0x0
012818: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012819: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
012820: 17w0d: dot1x-backend(Fa0/39): [71] relaying EAP data from supplicant
012821: 17w0d: dot1x-backend(Fa0/39): [71] cont_login returned FAIL
012822: 17w0d: dot1x-backend(Fa0/39): [71] cleaning up AAA context
012823: 17w0d: dot1x-core(Fa0/39): RADIUS reply (1) received
012824: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event SERVER_REPLY, arg 0x1
012825: 17w0d: dot1x-besm(Fa0/39): state RESPONSE, event SERVER_REPLY, arg 0x1
012826: 17w0d: dot1x-besm(Fa0/39): state FAIL, event ENTRY, arg 0x1
012827: 17w0d: dot1x-core(Fa0/39): send EAPOL type=0, EAP code=4, id=2
012828: 17w0d: dot1x-besm(Fa0/39): state IDLE, event ENTRY, arg 0x1
012829: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event SERVER_REPLY, arg 0x1
012830: 17w0d: dot1x-core(Fa0/39): control event
012831: 17w0d: dot1x-authsm(Fa0/39): state AUTHENTICATING, event CONTROL, arg 0x0
012832: 17w0d: dot1x-authsm(Fa0/39): state HELD, event ENTRY, arg 0x0
012833: 17w0d: dot1x-core(Fa0/39): deauthorized port
012834: 17w0d: dot1x-besm(Fa0/39): state IDLE, event CONTROL, arg 0x0
012835: 17w0d: dot1x-reauthsm(Fa0/39): state INITIALIZE, event CONTROL, arg 0x0
012836: 17w0d: dot1x-reauthsm(Fa0/39): reauth timer stopped
012837: 17w0d: dot1x-core(Fa0/8): stopping
012838: 17w0d: dot1x-core(Fa0/8): control event
012839: 17w0d: dot1x-authsm(Fa0/8): state FORCE_AUTH, event CONTROL, arg 0x0
012840: 17w0d: dot1x-authsm(Fa0/8): state INITIALIZE, event ENTRY, arg 0x0
012841: 17w0d: dot1x-besm(Fa0/8): state IDLE, event CONTROL, arg 0x0
012842: 17w0d: dot1x-besm(Fa0/8): state INITIALIZE, event ENTRY, arg 0x0
012843: 17w0d: dot1x-reauthsm(Fa0/8): state INITIALIZE, event CONTROL, arg 0x0
012844: 17w0d: dot1x-reauthsm(Fa0/8): reauth timer stopped
012845: Feb 26 15:13:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
012846: 17w0d: dot1x-core(Fa0/8): starting
012847: 17w0d: dot1x-core(Fa0/8): control event
012848: 17w0d: dot1x-authsm(Fa0/8): state INITIALIZE, event CONTROL, arg 0x0
012849: 17w0d: dot1x-authsm(Fa0/8): state FORCE_AUTH, event ENTRY, arg 0x0
012850: 17w0d: dot1x-core(Fa0/8): authorized for multiple-host access
012851: 17w0d: dot1x-core(Fa0/8): send EAPOL type=0, EAP code=3, id=0
012852: 17w0d: dot1x-besm(Fa0/8): state INITIALIZE, event CONTROL, arg 0x0
012853: 17w0d: dot1x-besm(Fa0/8): state IDLE, event ENTRY, arg 0x0
012854: 17w0d: dot1x-reauthsm(Fa0/8): state INITIALIZE, event CONTROL, arg 0x0
012855: 17w0d: dot1x-reauthsm(Fa0/8): reauth timer stopped
012856: 17w0d: dot1x-core(Fa0/8): control event
012857: 17w0d: dot1x-authsm(Fa0/8): state FORCE_AUTH, event CONTROL, arg 0x0
012858: 17w0d: dot1x-besm(Fa0/8): state IDLE, event CONTROL, arg 0x0
012859: 17w0d: dot1x-reauthsm(Fa0/8): state INITIALIZE, event CONTROL, arg 0x0
012860: 17w0d: dot1x-reauthsm(Fa0/8): reauth timer stopped
012861: Feb 26 15:13:06: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
012862: Feb 26 15:13:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
Please post the config & IOS version
Avatar of kamsuj

ASKER

! Last configuration change at 16:20:24 CET Mon Feb 26 2007 by admin
! NVRAM config last updated at 16:48:50 CET Mon Feb 26 2007 by admin
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname XXXXXXX
!
aaa new-model
aaa authentication login lokalna local
aaa authentication dot1x default group radius local
aaa authorization network default group radius local
enable secret level 2 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX.
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username helpdesk secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
clock timezone CET 1
clock summer-time CEST recurring last Sun Apr 2:00 last Sun Oct 3:00
ip subnet-zero
no ip domain-lookup
!
!
spanning-tree mode mst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
spanning-tree mst configuration
 name XXX
 revision 2
!
!
interface FastEthernet0/1
 switchport access vlan 6
 switchport mode access
 switchport protected
 no ip address
 spanning-tree portfast

[...]

 
interface FastEthernet0/39
 switchport access vlan 4
 switchport mode access
 no ip address
 dot1x port-control auto
 spanning-tree portfast


[...]

radius-server host 00.000.0.0 auth-port 1812 acct-port 1813 key XXXXXXXXX
radius-server retransmit 3
privilege interface level 1 ip address
privilege interface level 1 description
privilege interface level 1 switchport mode
privilege interface level 1 switchport access vlan
privilege interface level 1 no shutdown
privilege interface level 1 shutdown
privilege configure level 1 interface
privilege exec level 1 show running-config
privilege exec level 1 copy running-config startup-config
privilege exec level 1 config terminal
privilege exec level 1 write memory
!
line con 0
 login authentication lokalna
line vty 0 4
 exec-timeout 60 0
 password 7 XXXXXXXXXXXX
 login authentication lokalna
line vty 5
 exec-timeout 60 0
 password 7 XXXXXXXXXXXX
 login authentication lokalna
line vty 6 15
 exec-timeout 60 0
 password 7 XXXXXXXXXXXX
!
ntp clock-period 17179803
ntp server 00.000.0.0
end


show version - c2950-i6q4l2-mz.121-11.EA1.bin
You say it works 2-3 times and then fails.  When it fails, are you seeing authentication failures on the IAS server or does the authentication never go to the server?
Avatar of kamsuj

ASKER

in the ias it seems that user is authenticated as the logs are all the same as the ones when it was ok
here are a few items that we have different

aaa session-id common
radius-server source-ports 1645-1646
radius-server key 7 XXXXXXXXXXX

Other than that, I don't see much different.  We are using 12.2.25(SEE2) but that shouldn't matter.
ASKER CERTIFIED SOLUTION
Avatar of cyoncon
cyoncon
Flag of Ecuador image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kamsuj

ASKER

cyoncon - thx this solved my problem

RPPreacher - thx for the first solution
Yo... thanks but no points?  You should have split the points.
Avatar of kamsuj

ASKER

sorry for that - i'm learning to use EE and when I have accepted cyoncon answer it was too late to give you points.
Avatar of kamsuj

ASKER

could you please tell me another thing - how to configure dynamic vlan assignment based on information from radius (i already configure ias with doc from microsoft) but i don't see any info how to make it work in catalyst. I have enterprise image and from cisco site i see that this feature is in it. I would like to know how to such a scenario: port is in access mode in for example 4 vlan and when someone autorizes with radius he will be in vlan 11.

Thx
Hey kamsuj, you should open another question for this, anyway i'm going to give you the answer,
BTW RPPreacher is right, if his solution helped you should have split the points,

Anyway
On the IAS you have to create a VLAN group for each group of users you want to be in that VLAN
 On the managemen interface of the IAS create a new VLAN policy for each vlan group.
then on the conditions windows select ADD, select the "windows-group" attribute and ADD, ADD again and select the VLAN group associated with the policy, OK, Next, Next.
On the Edit-Dial-in Profile screen select Advanced, and you should see Service-Type and Framed-Protocol, at this point you should add three atributes required for dinamic vlan assigment., these are:
Tunnel-Medium-Type = 802
Tunnel-Pvt-Group-ID = # or name of vlan you want to assign to these users
Tunnel-Type = VLAN

Hope this works, and if you can, try opening another question and assing the point.
Tks