Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SG300: Cant assign a vlan w 802.1x + freeradius

We recently got SG300-10 and are trying to get dynamic vlan assignment working via 802.1x and freeradius. We got it so that the client plugged into the SG300 would correctly auth, IE I can see this in "show dot1x users":

         

                          MAC               Auth   Auth   Session        VLAN

Port     Username         Address           Method Server Time

-------- ---------------- ----------------- ------ ------ -------------- ----

gi7      testuser         58:55:ca:24:19:d4 802.1X Remote 00:04:39


However the client does not appear to be on the correct vlan or any vlan at all. If I change the port from "dot1x radius-attributes vlan static" to "dot1x radius-attributes vlan" then the client cant auth at all (which is expected since it cant get the vlan info back).

The users file from freeradius looks like this:

testuser  Cleartext-Password := "testpassword"

        ##Tunnel-Tag = 0,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Type = VLAN,

        Tunnel-Private-Group-Id = "104"

In the eap.conf file there is this line set:

                        copy_request_to_tunnel = yes

Running config:

net055#show running-config

config-file-header

net055

v1.3.5.58 / R750_NIK_1_35_647_358

CLI v1.0

set system mode switch

file SSD indicator encrypted

@

ssd-control-start

ssd config

ssd file passphrase control unrestricted

no ssd file integrity control

ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0

!

vlan database

default-vlan vlan 3333

exit

vlan database

vlan 1,100,104,111

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

dot1x system-auth-control

hostname net055

line console

exec-timeout 30

exit

line ssh

exec-timeout 0

exit

encrypted radius-server host 172.16.200.57 key #REMOVED priority 10 usage dot1.x

radius-server host source-interface vlan 100

management access-list mlist2

permit ip-source 172.16.202.0 mask 255.255.255.0

permit ip-source 172.16.200.0 mask 255.255.255.0

exit

management access-class mlist2

logging buffered debugging

aaa authentication enable default enable none

aaa accounting dot1x start-stop group radius

enable password level 15 encrypted #REMOVED

no service password-recovery

no passwords complexity enable

passwords aging 0

username #REMOVED password encrypted #REMOVED privilege 15

username #REMOVED password encrypted #REMOVED privilege 15

ip ssh server

ip ssh password-auth

ip http timeout-policy 1800 https-only

no ip http server

tacacs-server timeout 10

clock timezone " " 0 minutes 0

clock source sntp

!

interface vlan 100

ip address 172.16.200.21 255.255.255.0

no ip address dhcp

!

interface vlan 104

name gen-0-Gnv-204.0

!

interface vlan 111

name guest-0-Gnv-10-66-61.0

dot1x guest-vlan

!

interface gigabitethernet1

switchport trunk allowed vlan add 100,104,111

!

interface gigabitethernet7

dot1x guest-vlan enable

dot1x reauthentication

dot1x radius-attributes vlan static

dot1x port-control auto

switchport mode general

switchport general allowed vlan add 104 untagged

no macro auto smartport

!

exit

ip default-gateway 172.16.200.1

It looks like there was a similar issues here but it seems to have never been resolved:

https://supportforums.cisco.com/message/3336810#3336810

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi all, I work with Colin and

Hi all,

 

I work with Colin and this ended up being a radius issue. In the eap.conf file, for peap (phase 1 auth),

we needed to enable copy_request_to_tunnel AND use_tunneled_reply:

                peap {

                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  PEAP tunnel, we recommend using MS-CHAPv2,
                        #  as that is the default type supported by
                        #  Windows clients.
                        default_eap_type = mschapv2

                        #  the PEAP module also has these configuration
                        #  items, which are the same as for TTLS.

                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes

 

Afterwards we were able to see the replys for the test user with the vlan-id displaying once per reply.

 

Cheers!

2 REPLIES
Green

SG300: Cant assign a vlan w 802.1x + freeradius

Hi Colin,

please check out

https://supportforums.cisco.com/thread/2164263

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

Hi all, I work with Colin and

Hi all,

 

I work with Colin and this ended up being a radius issue. In the eap.conf file, for peap (phase 1 auth),

we needed to enable copy_request_to_tunnel AND use_tunneled_reply:

                peap {

                        #  The tunneled EAP session needs a default
                        #  EAP type which is separate from the one for
                        #  the non-tunneled EAP module.  Inside of the
                        #  PEAP tunnel, we recommend using MS-CHAPv2,
                        #  as that is the default type supported by
                        #  Windows clients.
                        default_eap_type = mschapv2

                        #  the PEAP module also has these configuration
                        #  items, which are the same as for TTLS.

                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes

 

Afterwards we were able to see the replys for the test user with the vlan-id displaying once per reply.

 

Cheers!

2173
Views
5
Helpful
2
Replies
CreatePlease login to create content