04-19-2021 11:18 PM
Hello everyone, i am trying to configure 802.1x authentication with icx 7150. We have done the following configuration and test client has successfully authenticated with Cloudpath as our Radius Server but somehow after client is authenticated, client is not being move to the correct Vlan. Not sure if we have miss out any configuration, we tried looking at the example that was given on the configuration guide but dosen't seems to help .
Below is our configuration, our firmware is 80.0.95ba thanks in advance!
Current configuration:
!
ver 08.0.95baT211
!
stack unit 1
module 1 icx7150-48zp-poe-port-management-module
module 2 icx7150-8-sfp-plus-port-80g-module
stack-port 1/2/1
stack-port 1/2/3
!
!
!
lag "UPLINK TO FW" dynamic id 1
ports ethe 1/2/7 to 1/2/8
!
!
!
vlan 1 name DEFAULT-VLAN by port
no untagged ethe 1/1/20
!
vlan 2 name "OPEN Net" by port
tagged ethe 1/1/3 to 1/1/10 lag 1
!
vlan 3 name onboarding by port
tagged ethe 1/1/3 to 1/1/10 lag 1
!
vlan 10 name "NETWORK PRINTER" by port
tagged lag 1
!
vlan 11 name TAFEP/ADVISORY by port
tagged lag 1
!
vlan 12 name "TADM/ALL STAFF" by port
tagged lag 1
!
vlan 13 name ACCOUNT by port
tagged lag 1
!
vlan 20 name ADMIN by port
tagged lag 1
untagged ethe 1/1/19
!
vlan 30 name "VIP LAN" by port
tagged lag 1
!
vlan 34 name Kiosk by port
tagged lag 1
!
vlan 50 name "WIFI TAL STAFF" by port
tagged ethe 1/1/3 to 1/1/10 lag 1
!
vlan 51 name "WIFI MOMSC STAFF" by port
tagged lag 1
!
vlan 60 name "WIFI TAL VIP" by port
tagged ethe 1/1/3 to 1/1/10 lag 1
!
vlan 61 name "MOMSC LAN" by port
tagged lag 1
!
vlan 70 name "WIFI TAL GUEST" by port
tagged ethe 1/1/3 to 1/1/10 lag 1
!
vlan 71 name "WIFI MOMSC GUEST" by port
tagged lag 1
!
vlan 100 name MANAGEMENT by port
tagged lag 1
untagged ethe 1/1/1 to 1/1/10
!
vlan 101 name MOMSC-MGMT by port
tagged lag 1
!
vlan 150 name BMS/EMS by port
tagged lag 1
!
vlan 160 name SECURITY by port
tagged lag 1
!
vlan 200 name "SERVER MANAGEMENT" by port
tagged lag 1
!
vlan 201 name "SERVER APPLICATION" by port
tagged lag 1
!
vlan 202 name "SERVER DATABASE" by port
tagged lag 1
!
vlan 300 name VOICE by port
tagged lag 1
!
vlan 301 name "IP PHONE" by port
tagged lag 1
!
!
!
!
!
!
!
!
!
!
!
authentication
auth-default-vlan 20
restricted-vlan 3
auth-fail-action restricted-vlan
dot1x enable
dot1x enable ethe 1/1/20
dot1x port-control auto ethe 1/1/20
dot1x timeout tx-period 5
!
!
!
optical-monitor
aaa authentication web-server default local
aaa authentication dot1x default radius
aaa authentication login default local
aaa authorization coa enable
aaa accounting dot1x default start-stop radius
boot sys fl pri
enable aaa console
hostname TAL-L5-RSW
ip address 10.0.100.65 255.255.255.0 dynamic
ip dns server-address 10.0.200.88
ip default-gateway 10.0.100.254
!
no telnet server
username admin password .....
!
!
radius-client coa host 10.0.100.104 key 2 $RyvygVYvyvYVYV&&**(Y=
radius-server host 10.0.100.104 auth-port 1812 acct-port 1913 default key 2 $RyvygVYvyvYVYV&&**(Y= dot1x
radius-server accounting interim-updates
radius-server accounting interim-interval 5
!
!
no web-management http
!
!
manager active-list 10.0.100.102 10.0.100.101 10.0.100.254
!
manager port-list 987
!
!
interface ethernet 1/1/1
port-name SMARTZONE
!
interface ethernet 1/1/2
port-name SMARTZONE
!
interface ethernet 1/1/3
port-name AP01
!
interface ethernet 1/1/4
port-name AP02
!
interface ethernet 1/1/5
port-name AP03
!
interface ethernet 1/1/6
port-name AP04
!
interface ethernet 1/1/7
port-name AP05
!
interface ethernet 1/1/8
port-name AP06
!
interface ethernet 1/1/9
port-name AP21
!
interface ethernet 1/1/10
port-name AP22
!
interface ethernet 1/1/11
disable
!
interface ethernet 1/1/12
disable
!
interface ethernet 1/1/13
disable
!
interface ethernet 1/1/14
disable
!
interface ethernet 1/1/15
disable
!
interface ethernet 1/1/16
disable
!
interface ethernet 1/1/17
disable
!
interface ethernet 1/1/18
disable
!
interface ethernet 1/1/20
trust dscp
!
interface ethernet 1/1/21
disable
!
interface ethernet 1/1/22
disable
!
interface ethernet 1/1/23
disable
!
interface ethernet 1/1/24
disable
!
interface ethernet 1/1/25
disable
!
interface ethernet 1/1/26
disable
!
interface ethernet 1/1/27
disable
!
interface ethernet 1/1/28
disable
!
interface ethernet 1/1/29
disable
!
interface ethernet 1/1/30
disable
!
interface ethernet 1/1/31
disable
!
interface ethernet 1/1/32
disable
!
interface ethernet 1/1/33
disable
!
interface ethernet 1/1/34
disable
!
interface ethernet 1/1/35
disable
!
interface ethernet 1/1/36
disable
!
interface ethernet 1/1/37
disable
!
interface ethernet 1/1/38
disable
!
interface ethernet 1/1/39
disable
!
interface ethernet 1/1/40
disable
!
interface ethernet 1/1/41
disable
!
interface ethernet 1/1/42
disable
!
interface ethernet 1/1/43
disable
!
interface ethernet 1/1/44
disable
!
interface ethernet 1/1/45
disable
!
interface ethernet 1/1/46
disable
!
interface ethernet 1/1/47
disable
!
interface ethernet 1/1/48
disable
!
interface ethernet 1/2/2
speed-duplex 1000-full
!
interface ethernet 1/2/3
no optical-monitor
!
interface ethernet 1/2/4
speed-duplex 1000-full
!
interface ethernet 1/2/5
speed-duplex 1000-full
!
interface lag 1
speed-duplex 1000-full
!
!
!
ip access-list extended acl1
sequence 10 permit ip any any
!
!
!
!
!
!
!
!
!
!
!
end
04-20-2021 10:47 PM
Hi Daniel,
Are you trying to deploy 802.1x authentication with dynamic vlan assignment ?
Usually when authentication succeeds, the client is moved to the vlan returned by the radius server.
When the radius server does not return any VLAN information upon authentication, the client is authenticated and remains in the auth-default VLAN.
Pls refer the below link for more info and use cases.
Configuring the RADIUS server to support dynamic VLAN assignment for authentication (commscope.com)
Thanks
Jijo