Cat 3750 Switch: Dynamic vlan assignment

Unanswered Question
Dec 7th, 2009

Hey guys,

I am trying to configure 802.1x on the switch and authenticate users against a Radius server. My radius server is FreeRadius running on Redhat. The authentication works fine but the switch just doesn't take the VLAN assigned by the server. I captured the packets between the server and the switch The cap file is attached here. Can anybody please verify that all the attributes are there and are all correct?

The client laptop is running Windows XP and it's using EAP-MD5. The laptop in on port F1/0/1. Here is the configuration on the switch:

aaa new-model

aaa authentication dot1x default group radius none

aaa authorization network default group radius none


interface FastEthernet1/0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x reauthentication
dot1x guest-vlan 17
dot1x auth-fail vlan 18
spanning-tree portfast


radius-server host auth-port 1812 acct-port 1813 key xxxxxx


I also tried to debug dot1x errors and there is no output so I guess there is no errors... Any advise is appreciated! Thank you!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kush.sri2001 Wed, 12/09/2009 - 21:19


Please run the following debugs:

- debug dot1x all

- debug radius

- debug aaa authentication

these debugs would tell us if the radius server is sending the response and if the switch is accepting it.



Difan Zhao Fri, 12/11/2009 - 09:37

Hey Kush, thanks for reply! I did those debugs and I will upload them here. In the debug radius the output is saying that unknow cisco AVP type. I think the switch just doesn't like the Freeradius's attributes. I think what I will do is that I will setup ACS server (with the evaluation software) and configure it to dynamically assign vlan and use the wireshark to watch the attributes sent by the server and adjust my Freeradius setting accordingly and see if that helps...


This Discussion