Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VMPS support or RADIUS 802.1x in SF-300 ?

Hello

i have purchased quite a number of SF-300-24 SF-300-48 and SF-300-48P switches.

i would like to ask the community if anyone knows if these devices support VMPS or if anyone has them operating in a centralized mac-based 802.1x config ?

i would like to be able to centrally assign vlans to ports based on mac authentication.

i have the latest firmware installed 

1.3.5.58

any advice or information would be greatly appreciated! thank you.

Everyone's tags (5)
9 REPLIES
New Member

VMPS support or RADIUS 802.1x in SF-300 ?

been 3 days - bumping for reply?

im not really interested in the vmps was wondering more about doing MAB authentication to freeradius

New Member

VMPS support or RADIUS 802.1x in SF-300 ?

been 3 weeks- bumping for reply?

im not really interested in the vmps was wondering more about doing MAB authentication to freeradius

Green

VMPS support or RADIUS 802.1x in SF-300 ?

"i would like to be able to centrally assign vlans to ports based on mac authentication."

Yes this is possible and supported. Just keep in mind the SX300 does not use call station ID in the packet. There is a feature "DVA", dynamic VLAN assignment.

-Tom
Please mark answered for helpful posts
http://blogs.cisco.com/smallbusiness/

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

thanks Tomi am still

thanks Tom

i am still searching for documentation on how to accomplish this. i do not have a Cisco ACS server. has anyone else done this with freeradius, packetfence or Active Directory?

Hi AAron,I did manage to get

Hi AAron,

I did manage to get DVA working with free radius. Please see below some settings:

Freeradius users file:

002264c1149a  User-Password := "002264c1149a"
Tunnel-Type:0 = "VLAN",
Tunnel-Medium-Type:0 = "IEEE-802",
Tunnel-Private-Group-Id:0 = "30",
 
switch SG300 (note this is for the very first firmware 1.1.2.0 so the command are grouped differently now with the latest) :
interface  gi3
dot1x host-mode multi-sessions
exit
vlan database
vlan 30,100
exit
interface vlan 100
dot1x guest-vlan
exit
dot1x system-auth-control
interface range gi1,gi3
dot1x reauthentication
exit
interface range gi1,gi3
dot1x mac-authentication mac-only
exit
interface  gi3
dot1x radius-attributes vlan
exit
interface range gi1,gi3
dot1x guest-vlan enable
exit
interface gigabitethernet1
dot1x port-control auto
exit
interface gigabitethernet3
dot1x port-control auto
exit
radius-server host 192.168.1.122 priority 1
radius-server key testing123
aaa authentication dot1x default radius
switch3ba5e1#
 
with latest firmware you have more options added, please take a look at the page 443 of admin guide: http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/Cisco_300Sx_v1_4_AG.pdf?mdfid=283019666
 
Let me know if this is sufficient.
Aleksandra
New Member

wow thank you! that gives me

wow thank you! that gives me enough to go on - i will report back how it goes. i just upgraded this SF300 to the latest firmware SW version    1.4.0.88

Hi Aaron,This is a working

Hi Aaron,

This is a working setup with 1.4.0.88 firmware and boot 1.4.0.02 and freeRadius 2.2.3.

Note MD5 hash is used.

 

New Member

having some troublesi see

having some troubles

i see this in the radius debug log

 

 rad_recv: Access-Request packet from host 10.1.0.61 port 49205, id=27, length=137
        NAS-IP-Address = 10.1.0.61
        NAS-Port-Type = Ethernet
        NAS-Port = 2
        User-Name = '705812e23a73'
        Acct-Session-Id = '05000028'
        Called-Station-Id = '58-0A-20-A5-B1-15'
        Calling-Station-Id = '70-58-12-E2-3A-73'
        EAP-Message = 0x0200001101373035383132653233613733
        Message-Authenticator = 0x6255717e9a95e2edda5d227709e07a53
(0) WARNING: Empty authorize section.  Using default return values.
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user.
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [705812e23a73/<no User-Password attribute>] (from client mhps-network port 2 cli 70-58-12-E2-3A-73)
(0) Using Post-Auth-Type Reject
(0) WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform requested action.
(0) Finished request 0.

New Member

so i set up freeradius sql

so i set up freeradius sql with daloradius to make it easier to manage.

the switch is authenticating but not getting the vlan

radius reports:

 

Sending Access-Accept of id 58 to 10.1.0.61 port 49205
        Tunnel-Private-Group-Id:0 = "103"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802

 

 

but on the switch side im getting:

28-Nov-2014 13:26:17 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 70:58:12:e2:3a:73 was rejected on port fa2 because Radius accept message does not contain VLAN ID

 

 

695
Views
5
Helpful
9
Replies