Hi BB

my fw is 2.5.5.47 - the latest.

I'm looking at the emulator in your link and a Port Authentication page for a given port and cannot find an the option (same as my sg250).

thanks

I downgraded to the previous fw that came with the device : 2.5.0.83

It doesn't appear to have this option either.

Hi Cyberconsultants

i must be blind. I cannot see this in the emulator either. I am going to Security -> 802.1x Authenticate -> Port Authnetication, then selecting a Port and hitting Edit.

Show me where the RADIUS VLAN mapping setting is.

What do you mean by RADIUS VLAN mapping?

The 802.1X Port Authentication configuration will be carried out according to your VLAN Management > Port VLAN Memberships.

What VLAN is your RADIUS server on? Do you need hosts on other VLANs to authenticate to that RADIUS server? What specifically are you trying to do?

You've highlighted some text from a miscited version of a former admin guide. You were fine on the most recent firmware.

As in my original message that started this thread - the admin manual states that

"A user can specify that untagged traffic from the authorized host will be remapped to a
VLAN that is assigned by a RADIUS server during the authentication process. Tagged
traffic is dropped unless it belongs to the RADIUS-assigned VLAN or the
unauthenticated VLANs. Radius VLAN assignment on a port is set in the Port
Authentication page."

I took this to mean that the RADIUS attributes,  Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-Id could be sent from the RADIUS server to the switch and would configure the port for the appropriate vlan. Perhaps I misunderstood what that paragraph from the manual means. To me it says very plainly "VLAN that is assigned by a radius server". The RAIDUS VLAN assignment on a port is set in the Port Authentication page".

This is the latest version of the admin guide I could find. If these devices aren't capable of assigning vlans from a radius reply, they should say so.

Are you able to see exactly what's happening with/to the RADIUS attribute traffic?

You assume the switch is 'ignoring' that traffic because your config isn't working?

Those are vlan memberships configured on the switch device. RADIUS does the auth but the switch ignores Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = "11".

So I cannot map VLAN membership on the port via RADIUS like the manual states on pg 314-316?

Could you post one of your switch's configs?

Try modifying your Tunnel-Private-Group-Id attribute to "[tag], [string]"... as in "Tunnel-Private-Group-Id = [11, RemappedVLAN]" for example.

That string, up to 253 characters, is apparently used by IOS.

This does not work either (Tunnel-Private-Group-Id = [11, RemappedVLAN]). I verified we are sending all the attributes to via wireshark.

I agree that language reads like at least the remapping should work. If a supplicant is able to authenticate to your RADIUS server, then the language reads like that supplicant's port's untagged VLAN should then be remapped by RADIUS assignment to VLAN 11 like you're trying (and verifying via capture).

Post up a switch config so I can follow along better.

Wouldn't be surprised if this SG line doesn't support RADIUS assignment beyond that initial remap either. Total speculation and not what you're asking at this point, but throwing that out there. It may also be that it supports 802.1X authentication but can 'remap' only to a tagged VLAN that's already configured and to which a port is already configured as a member on the switch.

Another softball—have you given all the relevant sections in the device's 'Help' manual a thorough read? I sometimes find interesting things in there I might've missed or that weren't covered in the admin guide. Personally not familiar with the Sx2xx lineup beyond what we've variously installed for clients.