Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
0
Helpful
2
Replies

SG300 Guest VLAN issue

Dmitry Chernyavsky
Level 1
Level 1

‎06-07-2019 05:44 AM

Hello, folks.
I`m successfully configured 3 Cisco SG300-28 to use Dynamic 802.1x VLANs and Guest VLAN at the same time, so if device doesn't respond to auth request, then Guest VLAN applied to the port. All works excellent, checked with Windows and Mac laptops.

But after that i started to configure another switches - SG300-52, and cannot get same result with same config. I see that device received auth-request, and after few seconds port switched as untagged in Guest VLAN, but no future traffic is exchanged after that (except periodic auth-requests), at least what i see in wireshark on laptop.

vlan database
vlan 10-19,1234
exit

dot1x system-auth-control
radius-server host 192.168.1.10 priority 20 usage dot1.x
radius-server host source-interface vlan 1
radius-server deadtime 10
aaa accounting dot1x start-stop group radius
!
interface vlan 18
 name "VLAN 18"
 dot1x guest-vlan
!
interface vlan 1234
 name "Fake VLAN to be U on port"
!
interface gigabitethernet3
 dot1x guest-vlan enable
 dot1x reauthentication
 dot1x radius-attributes vlan static
 dot1x port-control auto
 switchport mode access
 switchport access vlan 1234

I tried to set VLAN 18 just untagged on port, without any other dot1x settings - everything is good, traffic is passed. When device support 802.1x and successfully passed authentication -  everything is good too.

 

But this SG300-52 just not work as i expect! And with same config and firmware (really same, i checked twice!) SG300-28 worked great!
What i can do with this?

Labels:
0 Helpful
2 Replies 2

riteshsh
Cisco Employee
Cisco Employee

‎06-21-2019 04:32 AM

Hi,

 

My name is Ritesh Sharma from Cisco TAC.

 

We need to check the VLAN tagging and membership on each port of the switch.

 

I would be best if you can open a case with us for further investigation on this issue.

Please click on the link below and open a case with us:

https://mycase.cloudapps.cisco.com/case

 

Regards 

Ritesh Sharma

0 Helpful

Dmitry Chernyavsky
Level 1
Level 1
In response to riteshsh

‎06-25-2019 02:50 AM

Weird, but it`s started to work when i disabled loopback-detection on our SG350 (not 300).
So, only spanning-tree is now enabled - it`s enough for us.

SG350 is part of setup, but they not involved in any Guest VLAN settings, only pass-trough all VLANs to the router.

0 Helpful
Customers Also Viewed These Support Documents