Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot get SG300 switch to send RADIUS messages for 802.1x

I  want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.

The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:

Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized

And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:

Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized

However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)

Here is my configuration:

  • Switch - 10.1.1.3

  • RADIUS (Microsoft NPS)- 10.1.1.15

  • Switch Usage Type - All (Login and 802.1x)

 

Port 7 configuration:

  • VLAN Mode is General

  • Host Authentication is Single Host Authentication

  • Administrative Port Control is Auto

  • RADIUS VLAN Assignment is Disabled

  • Guest VLAN is Enabled

  • 802.1x Based Authentication is Enabled

 

Additional Configurations under Security - 802.1x/MAC/Web Authentication:

  • Port Based Authentication is Enabled

  • Authentication Method is RADIUS

  • Guest VLAN is Enabled

  • Guest VLAN ID is 2

  • All of my VLANs are enabled for Authentication

 

I've got to be missing something but I do not know what that something is.

 

One last note:

The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

 

Everyone's tags (1)
1 REPLY
Cisco Employee

Hi,This is my working

Hi,

This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:

interface  gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface  gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#

 

 

Regards,

Aleksandra

154
Views
0
Helpful
1
Replies
CreatePlease to create content