cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5815
Views
5
Helpful
2
Replies

SG300: Cant assign a vlan w 802.1x + freeradius

colin hostert
Level 1
Level 1

We recently got SG300-10 and are trying to get dynamic vlan assignment working via 802.1x and freeradius. We got it so that the client plugged into the SG300 would correctly auth, IE I can see this in "show dot1x users":

         

                          MAC               Auth   Auth   Session        VLAN

Port     Username         Address           Method Server Time

-------- ---------------- ----------------- ------ ------ -------------- ----

gi7      testuser         58:55:ca:24:19:d4 802.1X Remote 00:04:39


However the client does not appear to be on the correct vlan or any vlan at all. If I change the port from "dot1x radius-attributes vlan static" to "dot1x radius-attributes vlan" then the client cant auth at all (which is expected since it cant get the vlan info back).

The users file from freeradius looks like this:

testuser  Cleartext-Password := "testpassword"

        ##Tunnel-Tag = 0,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Type = VLAN,

        Tunnel-Private-Group-Id = "104"

In the eap.conf file there is this line set:

                        copy_request_to_tunnel = yes

Running config:

net055#show running-config

config-file-header

net055

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode switch

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

vlan database

default-vlan vlan 3333

exit

vlan database

vlan 1,100,104,111

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

dot1x system-auth-control

hostname net055

line console

exec-timeout 30

exit

line ssh

exec-timeout 0

exit

encrypted radius-server host 172.16.200.57 key #REMOVED priority 10 usage dot1.x

radius-server host source-interface vlan 100

management access-list mlist2

permit ip-source 172.16.202.0 mask 255.255.255.0

permit ip-source 172.16.200.0 mask 255.255.255.0

exit

management access-class mlist2

logging buffered debugging

aaa authentication enable default enable none

aaa accounting dot1x start-stop group radius

enable password level 15 encrypted #REMOVED

no service password-recovery

no passwords complexity enable

passwords aging 0

username #REMOVED password encrypted #REMOVED privilege 15

username #REMOVED password encrypted #REMOVED privilege 15

ip ssh server

ip ssh password-auth

ip http timeout-policy 1800 https-only

no ip http server

tacacs-server timeout 10

clock timezone " " 0 minutes 0

clock source sntp

!

interface vlan 100

ip address 172.16.200.21 255.255.255.0

no ip address dhcp

!

interface vlan 104

name gen-0-Gnv-204.0

!

interface vlan 111

name guest-0-Gnv-10-66-61.0

dot1x guest-vlan

!

interface gigabitethernet1

switchport trunk allowed vlan add 100,104,111

!

interface gigabitethernet7

dot1x guest-vlan enable

dot1x reauthentication

dot1x radius-attributes vlan static

dot1x port-control auto

switchport mode general

switchport general allowed vlan add 104 untagged

no macro auto smartport

!

exit

ip default-gateway 172.16.200.1

It looks like there was a similar issues here but it seems to have never been resolved:

https://supportforums.cisco.com/message/3336810#3336810

1 Accepted Solution

Accepted Solutions

nategeouge
Level 1
Level 1

Hi all,

 

I work with Colin and this ended up being a radius issue. In the eap.conf file, for peap (phase 1 auth),

we needed to enable copy_request_to_tunnel AND use_tunneled_reply:

                peap {

                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  PEAP tunnel, we recommend using MS-CHAPv2,
                        #  as that is the default type supported by
                        #  Windows clients.
                        default_eap_type = mschapv2

                        #  the PEAP module also has these configuration
                        #  items, which are the same as for TTLS.

                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes

 

Afterwards we were able to see the replys for the test user with the vlan-id displaying once per reply.

 

Cheers!

View solution in original post

2 Replies 2

Tom Watts
VIP Alumni
VIP Alumni

Hi Colin,

please check out

https://supportforums.cisco.com/thread/2164263

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

nategeouge
Level 1
Level 1

Hi all,

 

I work with Colin and this ended up being a radius issue. In the eap.conf file, for peap (phase 1 auth),

we needed to enable copy_request_to_tunnel AND use_tunneled_reply:

                peap {

                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  PEAP tunnel, we recommend using MS-CHAPv2,
                        #  as that is the default type supported by
                        #  Windows clients.
                        default_eap_type = mschapv2

                        #  the PEAP module also has these configuration
                        #  items, which are the same as for TTLS.

                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes

 

Afterwards we were able to see the replys for the test user with the vlan-id displaying once per reply.

 

Cheers!