cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


1241
Views
0
Helpful
3
Replies
Highlighted
Beginner

SG300-28 - Firmware 1.2.7.76 with DVA: How to use Guest VLAN ? (Bugs00131469)

Hallo,

can you please explain me this problem more in detail, please:

##################################################################

Problem: When a DVA authorized port tries to re-authenticate and RADIUS

attributes no longer include VLAN attributes, reauthentication should fail and the

port should become unauthorized. This is not happening, and the port does not fail.

(Bugs00131469)

Solution: Do not remove VLAN attributes on a RADIUS server or unplug the

network cable and plug it back in to force the failure.

##################################################################

I am using dynamic VLAN assignment for my known hosts in the network (MAC based authentication only). But there are people from other companies which use their own computer and this computer is not known on my RADIUS server. These people should use the Guest VLAN. In general they unplug the LAN cable from a host which is known on my RADIUS and put the LAN cable into their notebook (which is not known by the RADIUS server).

Does this mean that this port will remain in the old VLAN or will the switch change the port the the guest VLAN ?

And what will happen if I replug the know computer on this port ?

This feature is very important for me but I need the RADIUS accounting feature of the new firmware. So please give me some advice!

Thank you very much!

Alexander Wilke

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Hello Alexander,

When connecting an unknown host to the switch, it should go to an unauthenticated VLAN or if using the Guest VLAN, it must be statically created from an existing VLAN on the switch. With the Guest-VLAN-Enable, the switch will automatically assign a port as an untagged member. When the port becomes authorized, the switch should move the port from the Guest VLAN when the first supplicant authorizes.

Basically, that bug listed above says don't make changes to your RADIUS server VLAN information, and if you do, unplug it from the network and replug it.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

3 REPLIES 3
Highlighted
Advocate

Hello Alexander,

When connecting an unknown host to the switch, it should go to an unauthenticated VLAN or if using the Guest VLAN, it must be statically created from an existing VLAN on the switch. With the Guest-VLAN-Enable, the switch will automatically assign a port as an untagged member. When the port becomes authorized, the switch should move the port from the Guest VLAN when the first supplicant authorizes.

Basically, that bug listed above says don't make changes to your RADIUS server VLAN information, and if you do, unplug it from the network and replug it.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Highlighted

Hello Tom,

thank you very much for your feedback. Your explanation makes sense.

I read it like this:

DO NOT remove the VLAN tag or DO NOT unplug the LAN cable. But this really makes no sense.

So to make it clear:

Changing the VLAN attribute from lets say "10" to "200" will be no problem but deleting the VLAN attribute will let the port remain in the old state, right ? But if I unplug the cable there will be a comnplete new authentication - no matter if there is a VLAN attribute or not (Guest VLAN), right ?

Thank you very much! I really appreciate your help.

Regards,

Alexander Wilke

Highlighted

Correct, if you change the VLAN attribute ON the RADIUS server, then you should unplug the server and plug it back in. The port state won't update and that's why removing and adding the RADIUS back works.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/