Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1494
Views
10
Helpful
7
Replies

Problem in 3548-x switch with dot1x in multiple VLAN assignment

deepak.singh.rawat
Level 1
Level 1

‎12-08-2021 03:41 AM

Hi,

Our Cisco switch -3548X on version 9.3.2 is having a dot1x port based feature is enabled and connected to a free radius server for authentication. We are trying to give the multiple Vlan in the Free radius server user file so that Cisco can allow our two Vlan 1968 and Vlan1969.

 

We are trying the below configuration in user file of freeradius server where we are giving the two Vlan but the cisco Auth vlan is coming as default.

 

Free radius user file config for Cisco switch

E23D213926.XXX.com Cleartext-Password := "54321"
Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = "1968,1969"

 

Cisco Dot1x output

Dot1x Info for Ethernet1/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
HostMode = MULTI HOST
ReAuthentication = Enabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
InactivityPeriod = 0
Mac-Auth-Bypass = Disabled

Dot1x Authenticator Client List
-------------------------------
Supplicant = 58:45:4C:E7:B3:42
Domain = DATA
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = EAP
Authenticated By = Remote Server
ReAuthPeriod = 3600
ReAuthAction = Reauthenticate
TimeToNextReauth = 2639
Auth-Vlan = 1

 

If we give only one Vlan1968 then our setup is working but our node which need a authentication from cisco/free radius has a two vlan 1968 and 1969 , So we are not able to reach the default GW of 1969 vlan if we put only one vlan assignment in Radius server.

 

Regadrs,

Deepak Rawat

 

7 Replies 7

Karsten Iwen
VIP
VIP

‎12-08-2021 04:04 AM

With "HostMode = MULTI HOST" you can only have one VLAN which is set by the first authentication that happens on that port. Other systems on that port use that VLAN (and other authorisation-settings) piggyback.

What do you want to achieve that you want to assign two VLANs in your setup?

0 Helpful

deepak.singh.rawat
Level 1
Level 1
In response to Karsten Iwen

‎12-08-2021 04:09 AM

Hi Karsten,

Thanks for reply.

Actually our node has two vlan setup one for connectivity(1968) and other is for Voice(1969) so we want both VLAN should be allowed so that our both function can work simultaneously. Multihost is given because we have more than one node in cascaded setup and first node which is directly connected to cisco port is the authenticator for second node and so on.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to deepak.singh.rawat

‎04-17-2022 07:24 AM

Hi Are this issue still not solved?
can I see the config of interface ?

0 Helpful

deepak.singh.rawat
Level 1
Level 1

‎12-10-2021 12:27 AM

Hi,

Is their anyone who can guide us or reply to this problem.

0 Helpful

deepak.singh.rawat
Level 1
Level 1

‎01-03-2022 05:48 AM

Dear Experts,

 

Any help, We are still looking for answers.

 

0 Helpful

deepak.singh.rawat
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2022 03:03 PM

Hi,

The problem got solved now

 

Solution: the issue in the lack of accounting stop messages, so we added accounting to the switch

 

Regards,

Deepak

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents