EX4200 - virtual routers seem to stop dot1x from working
We are using 11.1R2.3 on a chassis stack of EX4200 switches.
I've been working on getting dot1x implemented on the switches, in conjunction with a Microsoft NPS RADIUS server, so that we can do dynamic VLAN switching for users depending on whether or not they are a guest and, if they are staff, what sort of employee they are.
Here is the problem: if I have the virtual router configuration in place, dot1x stops ... dead. There is NO traffic coming from the switch to the RADIUS server to perform any authentication. Remove the virtual router parts and dot1x starts working again.
What do I need to do to have dot1x working in conjunction with the virtual routers, please?
The switch's main interface is in the same VLAN, as shown in the routing table:
VR_Private.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:56:25 > to 184.108.40.206 via vlan.211 10.100.1.254/32 *[Local/0] 00:56:24 Reject 10.100.2.0/24 *[Direct/0] 00:56:24 > via vlan.102 10.100.2.254/32 *[Local/0] 00:56:24 Local via vlan.102 10.100.3.0/24 *[Direct/0] 00:56:24 > via vlan.103 10.100.3.254/32 *[Local/0] 00:56:24 Local via vlan.103 10.100.4.0/24 *[Direct/0] 00:56:25 > via vlan.104 10.100.4.254/32 *[Local/0] 00:56:25 Local via vlan.104 220.127.116.11/32 *[Local/0] 00:56:24 Reject 18.104.22.168/25 *[Direct/0] 00:56:24 > via vlan.91 22.214.171.124/32 *[Local/0] 00:56:24 Local via vlan.91 126.96.36.199/25 *[Direct/0] 00:56:25 > via vlan.211 188.8.131.52/32 *[Local/0] 00:56:25 Local via vlan.211
So 184.108.40.206 is in the same VLAN as the RADIUS server, and that VLAN is in VR_Private.
So why does the switch suddenly think there isn't a route to the RADIUS server?
Note that the lines do not end with vlan.211 as they do for the physical interfaces on the switch, e.g.:
220.127.116.11/32 dest 0 0:15:5d:4:7:21 ucst 1631 1 vlan.211
Indeed, any of the IP addresses that have been assigned to the switch for RVIs or anything else don't get listed in a VLAN, but they are being listed in the VR_Private.inet routing table, so I'm still stumped on this one.