cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10663
Views
0
Helpful
23
Replies

SG200-26: dynamic VLAN - 802.1X

Nachtfalkeaw
Level 1
Level 1

Last week I got my SG200-26 (SLM2024T-EU). The Data Sheet says, that the switch works with dynamic VLAN assignment over 802.1X.

IEEE 802.1X
(Authenticator role)
802.1X: RADIUS authentication and accounting, MD5 hash
Supports time-based 802.1X
Dynamic VLAN assignment

The authentication on freeRADIUS works. I client could get access to the network after entering username and password but the client is not assigned to a VLAN. I used wireshark to sniff the authorisation process between the switch and the freeRADIUS server and the VLAN information were transmitted to the switch.

I would appreciate if some could give me some help how to configure the switch to work with dynamic VLAN assignment and freeRADIUS. If you need some more information, please let me know. I will add them here as far as possible.

Thank you very much!

Alexander

Edit

23 Replies 23

nimusell
Level 1
Level 1

Hello Alexander,

Thank you for participating in the Support Community. My name is Nico Muselle from Cisco Sofia STAC.

The VLAN(s) that you want to assign the client to, have the been created on the switch and have they been assigned to the port statically ? If the answer to both questions is yes, I don't really see a reason why it would not work.

If you have tried it with this configuration and it still does not work, it would be good to attach a Wireshark capture both from the port connecting to the Radius server and the port connecting to the client so we can compare both of them.

Hope this helped.

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA

Hello Nico,

Thank you for your reply.

I will show you my scenario a little more in detail and explain, what I have configured:

I have got one server/router with a VLAN capable NIC connected to Port g1 on the switch. On the router I created 2 VLANs with VLAN-ID 5 and VLAN-ID 6.

Both VLAN "NICs" have a static IP address and there is running a DHCP server for each VLAN. On the same server there is runninga freeRADIUS server.

Now I did the following configuration on the switch:

1. I assigned a static IP on the switch.

2. SECURITY -> RADIUS:

I added the RADIUS Server IP address and the key string (same on switch and freeRADIUS) and I ticked Usage-Type: 802.1X

3. SECURITY -> 802.1X -> Properties

Port-Based Authentication: Enabled is ticked

RADIUS

4. SECURITY -> 802.1X -> Port Authentication

Administrative Port Control: Auto is ticked

5. VLAN-Management --> Create VLAN

VLAN-ID 5

Descr. VLAN5

VLAN-ID 6

Descr. VLAN6

I think, to this point the configuration is correct, isn't it ?

I would appreciate very much, if you could give me advice for the further steps like Port Mode Access, Trunk or General for the clients which connect to the switch and if tagged or untagged.

I have port g1 in trunk mode and VLAN5 and VLAN6 is tagged because my NIC is VLAN capable. But the other clients which connect to the switch do not have a VLAN capable NIC and these clients should get their VLAN assigned dynamically.

I attached the pcap file which contains the authentication between freeRADIUS and the SG200-26 (Port g1)

Thank you very much in advance!

Alexander

Hello again,

this post is in addition to my previous post. On the basis, which I described in the 5 steps of my last post, I tried several other things:

I tried this with interface port g10 in trunk and general mode.

I tried "Port to VLAN" and selected on port g10 VLAN5 and VLAN6 in untagged mode, didn't work with dynamically VLAN assignment.

I tried "VLAN to port" and added VLAN5 and VLAN6 to port g10.

I attached a config picture of the VLAN Port Membership and I attached a wireshark capture of the connection between the switch and the client. To get this, I did a port mirroring.

I feel, like the switch is not able to do what the data sheet says/I want or I did a wrong configuration. Please give some advice!

Thank you.

This is the config-file of the running config.

Hello Alexander,

At first sight the switch configuration seems OK, what brings me to the configuration of FreeRadius, would it be possible for you to post the config file of FreeRadius as well. My guess is that not all necessary parameters have been defined in FreeRadius.

Best regards,

Nico

Hello,

there are several config files. Please let me know, if you need other files.

I attached you the radiusd.conf, eap.conf and the users files.

Thanks

Hi Alexander,


The configuration of FreeRadius is not always very straightforward. As asked in one of the previous posts, could you also do a port mirroring on the radius server side of the switch so we can see what exactly is the information that FreeRadius is sending to the switch ?

If the switch is not receiving the VLAN information, of course it cannot apply it, therefore we need to make sure first that the switch is receiving the information configured in FreeRadius.

Thanks for providing this pcap file.

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA

Hello Nico,

like you could read in my second post from 15.03.2011 02:48, I attached you this .pcap file. Please feel free to have a look at this file and let me know, if you need more information!

This as an short excerpt of the attachment of the post I pointed to in my senteces above:

(...)

Sending Access-Challenge of id 0 to 172.17.0.2 port 49154

        Tunnel-Type:0 = VLAN

        Tunnel-Medium-Type:0 = IEEE-802

        Tunnel-Private-Group-Id:0 = "6"

        EAP-Message = 0x010300160410d1da01d80b6d0ebb00804a954c594c4c

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x19efefe709c34ca322c0867311b9e3e7

Finished request 4

(...)

Login OK: [vlan5/] (from client switch port 57 cli 00-0B-5D-93-0F-4E)

Sending Access-Accept of id 0 to 172.17.0.2 port 49154

        Tunnel-Type:0 = VLAN

        Tunnel-Medium-Type:0 = IEEE-802

        Tunnel-Private-Group-Id:0 = "6"

        EAP-Message = 0x03030004

        Message-Authenticator = 0x00000000000000000000000000000000

        User-Name = "vlan5"

(...)

--- Walking the entire request list ---

Cleaning up request 5 ID 0 with timestamp 4d7dc41e

Nothing to do.  Sleeping until we see a request.

Thank you.

Hi,

two weeks and no feedback ?!

Do you need more information ?

Isn't there anybody who could tell me why your cisco switchs are not doing what they should and what the tech paper says ?

Is it a bug in the 1.0.0.19 firmware ?

I am a little bit disappointed about the cisco support - a company which is a leading network supplier.

Hi Alexander,

Sorry for the late reply. I just noticed that you are using FW 1.0.0.19, could you please try and upgrade to 1.0.0.27 which is the latest version available on the Cisco website and let me know how it is going.

I would like to try replicating your issue here in the lab, but I have been terribly busy lately so due to a lack of time I haven't been able to work on your case yet. I would strongly suggest you to contact the Cisco Small Business Support Center closest to you, as with a case logged you are more likely to get answers quickly and personalized. Also, a remote session could be done to collect eventual additional data etc..

To find your local support center number, please click here

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA

Hallo Nico,

please tell me where to find latest FW 1.0.0.27. I just can find 1.0.0.19 under this link:

http://www.cisco.com/cisco/software/release.html?mdfid=283771818&flowid=24301&softwareid=282463182&release=1.0.0.19&rellifecycle=&relind=AVAILABLE&reltype=latest

I am working for the German Police Academy in Wiesbaden and like everywhere in the public sector, it needs a very long time to get account or bill of delivery....and without these information I do not know, how to sing-on in teh CISCO.com Profile Manager because there I need "Cisco Certified Partner Initiated Customer Access-(PICA-)Partners" or other things.

Nevertheless, thank you for your help and taking the time for this problem!

Alexander

Hey Alexander,

You can just create a guest account on this link, this is sufficient to log a case for you in our system.

As far as the firmware is concerned, you can download it here, you can even download the German language file for the web interface from that link if you would like to.

To open a case, as these switches are new and have limited lifetime warranty, there should not be any problem with opening a case while just providing the serial number of the switch and your newly created Cisco user ID (CCOID). If you call the toll-free number in Germany, my German speaking colleagues will be glad to assist you with this problem.

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA

Hi Nico,

The link you have is for a 300 level swich his issue is with a 200 level swich so are you telling us they both use the same firmware?

Thanks,

Phil

My mistake Phil, for the 200 series the last FW version is indeed 1.0.0.19