Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1859
Views
5
Helpful
3
Replies

802.1x authetication with dynamic Vlan assignment by a radius server

Go to solution
wouter.leeuwerck
Level 1
Level 1

‎12-28-2014 02:18 AM

Hi

At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.

When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.

I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.

What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 

So far so good.

But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.

Any help would be appriciated.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to wouter.leeuwerck

‎01-05-2015 11:10 AM

Hi Wouter,

Yes you are right, 200 series do not support DVA. Only 300 or 500 have this settings at the interface level.

Aleksandra

View solution in original post

3 Replies 3

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee

‎12-28-2014 11:06 PM

Hi Wouter,

Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:

http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1

I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra 

0 Helpful

Go to solution
wouter.leeuwerck
Level 1
Level 1
In response to Aleksandra Dargiel

‎01-05-2015 07:25 AM

Hi Aleksandra

I believe the SG200 series is not able to move users to a radius-predefined VLAN.
It can only enable or disable the port depending on the user/client that logs on to the network.

I tried a SG300-10P and it works with this device.  This one also supports guest VLAN's.

Can you confirm this?

0 Helpful

Go to solution
Aleksandra Dargiel
Cisco Employee
Cisco Employee
In response to wouter.leeuwerck

‎01-05-2015 11:10 AM

Hi Wouter,

Yes you are right, 200 series do not support DVA. Only 300 or 500 have this settings at the interface level.

Aleksandra

Customers Also Viewed These Support Documents