Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3070
Views
5
Helpful
9
Replies

VMPS support or RADIUS 802.1x in SF-300 ?

Aaron Sheard
Level 1
Level 1

‎02-11-2014 03:10 PM

Hello

i have purchased quite a number of SF-300-24 SF-300-48 and SF-300-48P switches.

i would like to ask the community if anyone knows if these devices support VMPS or if anyone has them operating in a centralized mac-based 802.1x config ?

i would like to be able to centrally assign vlans to ports based on mac authentication.

i have the latest firmware installed 

1.3.5.58

any advice or information would be greatly appreciated! thank you.

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Aaron Sheard
Level 1
Level 1

‎02-14-2014 01:14 PM

been 3 days - bumping for reply?

im not really interested in the vmps was wondering more about doing MAB authentication to freeradius

0 Helpful

Aaron Sheard
Level 1
Level 1
In response to Aaron Sheard

‎03-06-2014 11:17 AM

been 3 weeks- bumping for reply?

im not really interested in the vmps was wondering more about doing MAB authentication to freeradius

0 Helpful

Tom Watts
VIP Alumni
VIP Alumni
In response to Aaron Sheard

‎03-06-2014 11:35 AM

"i would like to be able to centrally assign vlans to ports based on mac authentication."

Yes this is possible and supported. Just keep in mind the SX300 does not use call station ID in the packet. There is a feature "DVA", dynamic VLAN assignment.

-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Aaron Sheard
Level 1
Level 1
In response to Tom Watts

‎11-18-2014 09:31 AM

thanks Tom

i am still searching for documentation on how to accomplish this. i do not have a Cisco ACS server. has anyone else done this with freeradius, packetfence or Active Directory?

0 Helpful

Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to Aaron Sheard

‎11-19-2014 11:09 AM

Hi AAron,

I did manage to get DVA working with free radius. Please see below some settings:

Freeradius users file:

002264c1149a  User-Password := "002264c1149a"
Tunnel-Type:0 = "VLAN",
Tunnel-Medium-Type:0 = "IEEE-802",
Tunnel-Private-Group-Id:0 = "30",
 
switch SG300 (note this is for the very first firmware 1.1.2.0 so the command are grouped differently now with the latest) :
interface  gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface  gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#
 
with latest firmware you have more options added, please take a look at the page 443 of admin guide: http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/Cisco_300Sx_v1_4_AG.pdf?mdfid=283019666
 
Let me know if this is sufficient.
Aleksandra

Aaron Sheard
Level 1
Level 1
In response to Aleksandra Dargiel

‎11-19-2014 02:20 PM

wow thank you! that gives me enough to go on - i will report back how it goes. i just upgraded this SF300 to the latest firmware SW version    1.4.0.88

0 Helpful

Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to Aaron Sheard

‎12-01-2014 02:10 AM

Hi Aaron,

This is a working setup with 1.4.0.88 firmware and boot 1.4.0.02 and freeRadius 2.2.3.

Note MD5 hash is used.

 

radius_only.zip
18 KB
0 Helpful

Aaron Sheard
Level 1
Level 1
In response to Aleksandra Dargiel

‎11-28-2014 09:49 AM

having some troubles

i see this in the radius debug log

 

 rad_recv: Access-Request packet from host 10.1.0.61 port 49205, id=27, length=137
        NAS-IP-Address = 10.1.0.61
        NAS-Port-Type = Ethernet
        NAS-Port = 2
        User-Name = '705812e23a73'
        Acct-Session-Id = '05000028'
        Called-Station-Id = '58-0A-20-A5-B1-15'
        Calling-Station-Id = '70-58-12-E2-3A-73'
        EAP-Message = 0x0200001101373035383132653233613733
        Message-Authenticator = 0x6255717e9a95e2edda5d227709e07a53
(0) WARNING: Empty authorize section.  Using default return values.
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user.
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [705812e23a73/<no User-Password attribute>] (from client mhps-network port 2 cli 70-58-12-E2-3A-73)
(0) Using Post-Auth-Type Reject
(0) WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
(0) Finished request 0.

0 Helpful

Aaron Sheard
Level 1
Level 1
In response to Aaron Sheard

‎11-28-2014 12:26 PM

so i set up freeradius sql with daloradius to make it easier to manage.

the switch is authenticating but not getting the vlan

radius reports:

 

Sending Access-Accept of id 58 to 10.1.0.61 port 49205
        Tunnel-Private-Group-Id:0 = "103"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802

 

 

but on the switch side im getting:

28-Nov-2014 13:26:17 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 70:58:12:e2:3a:73 was rejected on port fa2 because Radius accept message does not contain VLAN ID

 

 

0 Helpful
Customers Also Viewed These Support Documents