Solved: 回复：请问思科SG250-08支持ISE授权vlan到认证端口吗？

Vitus · ‎01-30-2021

我看这款产品支持802.1x认证，但是认证通过后无法被划入到授权vlan中呢？ISE上看是已经正确授权了，但是客户端总是无法正常加入到授权vlan里面，没有Radius vlan assignment这个选项。

Martin Aleksandrov · ‎02-01-2021

Hi Vitus,

You should move to Sx350/Sx550 families to have these features viable. Please refer to the following thread for more information: https://community.cisco.com/t5/small-business-support-documents/windows-integrated-802-1x-authentication-authorization-accouting/ta-p/3146208

Regards,

Martin

View solution in original post

Vitus · ‎01-30-2021

配置如下：

C250-60#sho running-config
config-file-header
C250-60
v2.5.5.47 / RTESLA2.5.5_930_364_286
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
vlan database
vlan 36-54,251,254
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
errdisable recovery cause loopback-detection
errdisable recovery cause port-security
errdisable recovery cause dot1x-src-address
errdisable recovery cause acl-deny
errdisable recovery cause stp-loopback-guard
errdisable recovery cause storm-control
bonjour interface range vlan 1
hostname C250-60
line ssh
exec-timeout 30
exit
line telnet
exec-timeout 30
exit
encrypted radius-server host 172.18.21.200 timeout 5 retransmit 2 key rpMdN6/lRydwoT3s= priority 10 usage dot1.x
encrypted radius-server host 172.18.21.201 timeout 5 retransmit 1 key rpMmn5+dN6/lRydwoT3s= usage dot1.x
username admin password encrypted 057a1a548cd07494e45c7 privilege 15
ip ssh server
ip ssh password-auth
ip ssh pubkey-auth
ip ssh-client username admin
encrypted ip ssh-client password FFbrXgdtS+i4=

ip http timeout-policy 1800
clock timezone CN +8
sntp server 172.1.1.24 poll
sntp server 172.1.1.20 poll
ip domain name co.com
ip name-server 172.8.1.6
!
interface vlan 1
no ip address dhcp
shutdown
!
interface vlan 251
ip address 172.19.25.60 255.255.255.0
!
interface vlan 254
dot1x guest-vlan
!
interface GigabitEthernet1
spanning-tree link-type point-to-point
switchport mode trunk
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet3
dot1x guest-vlan enable
dot1x port-control auto
!
interface GigabitEthernet4
dot1x guest-vlan enable
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x timeout supp-timeout 5
dot1x port-control auto
!
interface GigabitEthernet6
dot1x guest-vlan enable
dot1x port-control auto
switchport mode general
!
exit
macro auto enabled
ip igmp snooping
ip default-gateway 172.19.25.1

Vitus · ‎01-31-2021

请问有在线TAC可以帮忙回答一下这个问题吗？

Martin Aleksandrov · ‎02-01-2021

Hi Vitus,

You should move to Sx350/Sx550 families to have these features viable. Please refer to the following thread for more information: https://community.cisco.com/t5/small-business-support-documents/windows-integrated-802-1x-authentication-authorization-accouting/ta-p/3146208

Regards,

Martin

Vitus · ‎02-01-2021

OMG, maybe I have made a mistake, I bought wrong device type.