01-23-2014 01:00 PM
We recently got SG300-10 and are trying to get dynamic vlan assignment working via 802.1x and freeradius. We got it so that the client plugged into the SG300 would correctly auth, IE I can see this in "show dot1x users":
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi7 testuser 58:55:ca:24:19:d4 802.1X Remote 00:04:39
However the client does not appear to be on the correct vlan or any vlan at all. If I change the port from "dot1x radius-attributes vlan static" to "dot1x radius-attributes vlan" then the client cant auth at all (which is expected since it cant get the vlan info back).
The users file from freeradius looks like this:
testuser Cleartext-Password := "testpassword"
##Tunnel-Tag = 0,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "104"
In the eap.conf file there is this line set:
copy_request_to_tunnel = yes
Running config:
net055#show running-config
config-file-header
net055
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
default-vlan vlan 3333
exit
vlan database
vlan 1,100,104,111
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname net055
line console
exec-timeout 30
exit
line ssh
exec-timeout 0
exit
encrypted radius-server host 172.16.200.57 key #REMOVED priority 10 usage dot1.x
radius-server host source-interface vlan 100
management access-list mlist2
permit ip-source 172.16.202.0 mask 255.255.255.0
permit ip-source 172.16.200.0 mask 255.255.255.0
exit
management access-class mlist2
logging buffered debugging
aaa authentication enable default enable none
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted #REMOVED
no service password-recovery
no passwords complexity enable
passwords aging 0
username #REMOVED password encrypted #REMOVED privilege 15
username #REMOVED password encrypted #REMOVED privilege 15
ip ssh server
ip ssh password-auth
ip http timeout-policy 1800 https-only
no ip http server
tacacs-server timeout 10
clock timezone " " 0 minutes 0
clock source sntp
!
interface vlan 100
ip address 172.16.200.21 255.255.255.0
no ip address dhcp
!
interface vlan 104
name gen-0-Gnv-204.0
!
interface vlan 111
name guest-0-Gnv-10-66-61.0
dot1x guest-vlan
!
interface gigabitethernet1
switchport trunk allowed vlan add 100,104,111
!
interface gigabitethernet7
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 104 untagged
no macro auto smartport
!
exit
ip default-gateway 172.16.200.1
It looks like there was a similar issues here but it seems to have never been resolved:
https://supportforums.cisco.com/message/3336810#3336810
Solved! Go to Solution.
03-12-2014 08:47 AM
Hi all,
I work with Colin and this ended up being a radius issue. In the eap.conf file, for peap (phase 1 auth),
we needed to enable copy_request_to_tunnel AND use_tunneled_reply:
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
Afterwards we were able to see the replys for the test user with the vlan-id displaying once per reply.
Cheers!
02-04-2014 04:09 PM
Hi Colin,
please check out
https://supportforums.cisco.com/thread/2164263
-Tom
Please mark answered for helpful posts
03-12-2014 08:47 AM
Hi all,
I work with Colin and this ended up being a radius issue. In the eap.conf file, for peap (phase 1 auth),
we needed to enable copy_request_to_tunnel AND use_tunneled_reply:
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = yes
use_tunneled_reply = yes
Afterwards we were able to see the replys for the test user with the vlan-id displaying once per reply.
Cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide