09-23-2014 01:32 PM
I want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
Here is my configuration:
Switch - 10.1.1.3
RADIUS (Microsoft NPS)- 10.1.1.15
Switch Usage Type - All (Login and 802.1x)
Port 7 configuration:
VLAN Mode is General
Host Authentication is Single Host Authentication
Administrative Port Control is Auto
RADIUS VLAN Assignment is Disabled
Guest VLAN is Enabled
802.1x Based Authentication is Enabled
Additional Configurations under Security - 802.1x/MAC/Web Authentication:
Port Based Authentication is Enabled
Authentication Method is RADIUS
Guest VLAN is Enabled
Guest VLAN ID is 2
All of my VLANs are enabled for Authentication
I've got to be missing something but I do not know what that something is.
One last note:
The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.
09-24-2014 05:24 AM
Hi,
This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
interface gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#
Regards,
Aleksandra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide