09-01-2020 02:14 PM
Hello
I recently purchased some SG250 switches (08's and 18's) and am trying to get 802.1x vlans served from a radius server
It appears that although these switches' manuals state that they can be configured to do so, I cannot see it in my configs.
Specifically, in the Sx250 Series Smart Switches Admin Guide, (2.2.5.x) under Port Host Modes on pages 309 - 310, it states:
"A user can specify that untagged traffic from the authorized host will be remapped to a
VLAN that is assigned by a RADIUS server during the authentication process. Tagged
traffic is dropped unless it belongs to the RADIUS-assigned VLAN or the
unauthenticated VLANs. Radius VLAN assignment on a port is set in the Port
Authentication page."
When I go to the Port Authentication page in my mgt console, I see no such option. In fact, this same admin guide's Port Authentication section on page 314 - 316 doesn't appear to document this option either.
Perhaps I've misunderstood this?
Thanks.
Solved! Go to Solution.
09-01-2020 05:45 PM
Yes, when I assign a vlan to the port in the switch config, radius is used for authentication only. The hard configured vlan on the switch port is what the client is presented with, not what's in the radius reply attributes.
Seriously disappointed with Cisco's sg250 products in this regard. I bought these because of this supposed capability within the Admin guide, which I read before purchase.
09-02-2020 04:29 AM
We should be able to troubleshoot this further if you post at least one of your swtichport configs. Have you been attempting this on a port configured as an access port?
09-02-2020 05:16 AM
09-02-2020 08:05 AM - edited 09-02-2020 08:12 AM
Flash that firmware back up to 2.5.5.47. That was all obviously unnecessary.
From Sx250 CLI Guide for 2.4.5 (doesn't appear to be an appurtenant guide published for 2.5.5.47), p. 74:
Multi-Host Mode The multi-host mode manages the authentication status of the port: the port is authorized after at least one host is authorized. When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the port, only tagged traffic belonging to the unauthenticated VLANs is bridged. When a port is authorized, untagged and tagged traffic from all hosts connected to the port is bridged based on the static vlan membership configured at the port. [Emphasis added.]
I think you'll probably want to give that entire 802.1X Commands section a read, but it's looking less and less like this "Smart Switch" feature set supports RADIUS attributes.
Two things to try:
09-02-2020 09:14 AM
I'm pretty sure that I've confirmed before that setting vlans on the ports themselves and using radius auth simply sets the hardcoded vlan id. But in the common interest;
0. the switch is back to 2.5.5.47
1. setting the port to vlan 11/access mode and disabling the radius server from sending the attributes: the radius auth works, and the port is set for vlan 11, as expected.
2. set the port for General, 1U,1P,11T, no radius reply attributes, the radius auth works, and the port is set to vlan 1, as expected.
3. your quote about the port being assigned based on the static vlan port configuration - yes, but the very next paragraph is my quote from the manual that states that this behaviour can be overridden by setting the RADIUS VLAN assignment in the Port Authentication page. I see no such option on my Port Authentication pages on my sg250s. That is the crux of the problem, I think.
I think this series of devices are simply configured to not do this and Cisco forgot to remove that part of the manual from the 3xx series or something.
09-02-2020 10:52 AM
Your complete RADIUS and 802.1X configurations on the switch really should be thoroughly audited against all relevant sections of both the 2.5.5 Admin Guide and the 2.4.5 CLI Guide.
Relevant, from Sx250 Admin Guide for 2.5.5, p. 361:
Host Modes with Guest VLAN The host modes work with guest VLAN in the following way: • Single-Host and Multi-Host Mode Untagged traffic and tagged traffic belonging to the guest
VLAN arriving on an unauthorized port are bridged via the
guest VLAN. All other traffic is discarded. The traffic
belonging to an unauthenticated VLAN is bridged via the VLAN. • Multi-Sessions Mode Untagged traffic and tagged traffic, which does not belong
to the unauthenticated VLANs and that arrives from unauthorized
clients, are assigned to the guest VLAN using the TCAM rule
and are bridged via the guest VLAN. The tagged traffic
belonging to an unauthenticated VLAN is bridged via the VLAN.
This mode cannot be configured on the same interface with
policy-based VLANs. If the tunnel-private-group ID attribute is provided as a VLAN name, the VLAN with
this name most [sic] be statically configured on the device. If a VLAN ID (2-4094)
is used in this attribute, after a supplicant is authenticated, the VLAN will be
created dynamically. The device supports the 802.1x authentication mechanism, as described in the standard,
to authenticate and authorize 802.1x supplicants.
No idea why those last two paragraphs seem to be included under that heading, but regardless and again, seems to confirm remapping via RADIUS attribute is possible.
Go back to original zero-config on Port 8 except for 802.1X authentication enabled (i.e. "dot1x port-control auto".)
All other policy-based VLANs (e.g. GVRP) globally disabled?
Security > RADIUS > [check RADIUS server] > Edit > Usage Type: 802.1X . . . is that properly configured? From the 2.5.5 Admin Guide, p. 328:
• Usage Type—Enter the RADIUS server authentication type. The options are: - Login—RADIUS server is used for authenticating users that ask to administer the device. - 802.1x—RADIUS server is used for 802.1x authentication. - All—RADIUS server is used for authenticating user that ask to administer the device and
for 802.1X authentication.
09-02-2020 11:15 AM
Re: your step #1, try configuring Port 8 as a VLAN 1 access port, just to see if you can get it to flip to VLAN 11 after authentication.
Re: your step #2, try 1T, 11P, 11U—if only to see how the switch behaves. We know authentication has to take place on now tagged-but-unauthorized VLAN 1—and then that port will already have been statically configured for all VLAN 11-tagged traffic once authorized.
09-02-2020 11:57 AM
in step 1, the switch assigns vlan 1
in step 2. the switch assigns vlan 11
to verify step 2, I changed the radius reply to a nonvlan 11 vlan and the client still got vlan 11
GVRP is globally disabled.
radius config is set to ALL.
09-03-2020 08:56 AM - edited 09-03-2020 11:42 AM
I have tried multiple iterations of config on this switch (disabling smartport, setting the interfaces to NONE for vlan memberships, changing them from access to general ports, and more). I cannot find a way to get this device to assign vlans from radius.
I do not think the sg250 range is incapable of assigning vlans as informed by radius reply attributes and thus the documentation is misleading. Either that, or perhaps there's a bug in the firmware.
Thanks for your help.
09-03-2020 09:39 AM
I think we agree that if it's at all possible, the implementation is pretty terrible. And misleading documentation is an understatement—version ambiguities, copied-and-pasted tables of contents with incorrect pagination, unclear layout, etc. (although my feeling is that the answer probably is buried somewhere). You'd be justified in abandoning this switch on that basis alone.
You're welcome.
09-07-2020 05:51 AM
Just a followup for anyone interested / web search on this topic. I acquired replacement sg350 devices and radius-assigned vlans to access ports works, as does mac-auth.
I will be returning my sg250's. They perform radius auth, but vlan assignment to access ports uses the local device config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide