VMPS support or RADIUS 802.1x in SF-300 ?

Aaron Sheard · ‎02-11-2014

Hello

i have purchased quite a number of SF-300-24 SF-300-48 and SF-300-48P switches.

i would like to ask the community if anyone knows if these devices support VMPS or if anyone has them operating in a centralized mac-based 802.1x config ?

i would like to be able to centrally assign vlans to ports based on mac authentication.

i have the latest firmware installed

1.3.5.58

any advice or information would be greatly appreciated! thank you.

Aaron Sheard · ‎02-14-2014

been 3 days - bumping for reply?

im not really interested in the vmps was wondering more about doing MAB authentication to freeradius

Aaron Sheard · ‎03-06-2014

been 3 weeks- bumping for reply?

im not really interested in the vmps was wondering more about doing MAB authentication to freeradius

Tom Watts · ‎03-06-2014

"i would like to be able to centrally assign vlans to ports based on mac authentication."

Yes this is possible and supported. Just keep in mind the SX300 does not use call station ID in the packet. There is a feature "DVA", dynamic VLAN assignment.

-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Aaron Sheard · ‎11-18-2014

thanks Tom

i am still searching for documentation on how to accomplish this. i do not have a Cisco ACS server. has anyone else done this with freeradius, packetfence or Active Directory?

Aleksandra Dargiel · ‎11-19-2014

Hi AAron,

I did manage to get DVA working with free radius. Please see below some settings:

Freeradius users file:

002264c1149a User-Password := "002264c1149a"

Tunnel-Type:0 = "VLAN",

Tunnel-Medium-Type:0 = "IEEE-802",

Tunnel-Private-Group-Id:0 = "30",

switch SG300 (note this is for the very first firmware 1.1.2.0 so the command are grouped differently now with the latest) :

interface gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#

with latest firmware you have more options added, please take a look at the page 443 of admin guide: http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/Cisco_300Sx_v1_4_AG.pdf?mdfid=283019666

Let me know if this is sufficient.

Aleksandra

Aaron Sheard · ‎11-19-2014

wow thank you! that gives me enough to go on - i will report back how it goes. i just upgraded this SF300 to the latest firmware SW version 1.4.0.88

Aleksandra Dargiel · ‎12-01-2014

Hi Aaron,

This is a working setup with 1.4.0.88 firmware and boot 1.4.0.02 and freeRadius 2.2.3.

Note MD5 hash is used.

Aaron Sheard · ‎11-28-2014

having some troubles

i see this in the radius debug log

rad_recv: Access-Request packet from host 10.1.0.61 port 49205, id=27, length=137
NAS-IP-Address = 10.1.0.61
NAS-Port-Type = Ethernet
NAS-Port = 2
User-Name = '705812e23a73'
Acct-Session-Id = '05000028'
Called-Station-Id = '58-0A-20-A5-B1-15'
Calling-Station-Id = '70-58-12-E2-3A-73'
EAP-Message = 0x0200001101373035383132653233613733
Message-Authenticator = 0x6255717e9a95e2edda5d227709e07a53
(0) WARNING: Empty authorize section. Using default return values.
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user.
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [705812e23a73/<no User-Password attribute>] (from client mhps-network port 2 cli 70-58-12-E2-3A-73)
(0) Using Post-Auth-Type Reject
(0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action.
(0) Finished request 0.

Aaron Sheard · ‎11-28-2014

so i set up freeradius sql with daloradius to make it easier to manage.

the switch is authenticating but not getting the vlan

radius reports:

Sending Access-Accept of id 58 to 10.1.0.61 port 49205
Tunnel-Private-Group-Id:0 = "103"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802

but on the switch side im getting:

28-Nov-2014 13:26:17 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 70:58:12:e2:3a:73 was rejected on port fa2 because Radius accept message does not contain VLAN ID

VMPS support or RADIUS 802.1x in SF-300 ?

Cisco Business Product Family

Cisco Switching Product Family