we've configured dynamic vlan 802.1X Authentication on radius. after a user gets authenticated, it gets default vlan IP instead of the IP associated for the vlan. DHCP IPs for designated vlan works already before the 802.1x was configured. see config below and output of "show dot1x interface detail"
set interfaces interface-range SOMI-VC1-M0-0-46 member-range ge-0/0/0 to ge-0/0/46 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching storm-control default
set interfaces irb unit 1 family inet address 192.168.190.253/24 set interfaces irb unit 189 family inet address 172.16.189.254/24
set protocols dot1x authenticator authentication-profile-name SOMI-AD set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 supplicant multiple set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 retries 2 set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 transmit-period 2 set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 mac-radius set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 guest-vlan Guest
set firewall family ethernet-switching filter Guest_Access term DC_Allow from ip-destination-address 172.16.x.7/32 set firewall family ethernet-switching filter Guest_Access term DC_Allow from ip-destination-address 172.16.x.9/32 set firewall family ethernet-switching filter Guest_Access term DC_Allow then accept set firewall family ethernet-switching filter Guest_Access term Block_LAN from ip-destination-address 172.16.0.0/16 set firewall family ethernet-switching filter Guest_Access term Block_LAN then discard set firewall family ethernet-switching filter Guest_Access term Allow_Internet from ip-destination-address 0.0.0.0/0 set firewall family ethernet-switching filter Guest_Access term Allow_Internet then accept
set access radius-server 172.16.x.9 secret "$9$M108LN-dw4oZ8XYoZjPfO1IRylX7-" set access radius-server 172.16.x.9 source-address 172.16.x.254 set access profile SOMI-AD authentication-order radius set access profile SOMI-AD radius accounting-server 172.16.x.9 set access profile SOMI-AD accounting order radius set access profile SOMI-AD accounting accounting-stop-on-failure set access profile SOMI-AD accounting accounting-stop-on-access-deny set access profile SOMI-AD accounting send-acct-status-on-config-change
set vlans Miscellaneous vlan-id 189 set vlans Miscellaneous l3-interface irb.189 set vlans Miscellaneous forwarding-options dhcp-security set vlans default vlan-id 1 set vlans default l3-interface irb.1
root> show dot1x interface ge-0/0/0 detail ge-0/0/0.0 Role: Authenticator Administrative state: Auto Supplicant mode: Multiple Number of retries: 2 Quiet period: 60 seconds Transmit period: 2 seconds Mac Radius: Disabled Mac Radius Restrict: Disabled Reauthentication: Enabled Reauthentication interval: 3600 seconds Supplicant timeout: 30 seconds Server timeout: 30 seconds Maximum EAPOL requests: 2 Guest VLAN member: Guest
Number of connected supplicants: 1 Supplicant: SYNERGYOCEAN\shivram, 34:E67:3D:5F:92 Operational state: Authenticated Backend Authentication state: Idle Authentication method: Radius Authenticated VLAN: Directors Session Reauth interval: 3600 seconds Reauthentication due in 1715 seconds
a) Do you see this for all authenticated users? How many? If only a subset, worth checking anything common.
b) Believe you have the VLAN assigned dynamically via radius attribute here? Please ensure the switch has the "Directors" VLAN created. You mentioned it worked without dot1x so assume it's there but at least the config snippet in the post didn't show it .
set vlans Directors vlan-id xxx
c) Please ensure the MAC address of the client is learnt on the right VLAN:
show ethernet-switching table vlan Directors show ethernet-switching table vlan default
Note the supplicant MAC didn't read correctly on the post, so please check on it.
d) If the above doesn't help, then it's likely tending towards a software issue. Please enable dot1x traces once and redo the authentication to try and troubleshoot:
set protocols dot1x traceoptions file DOT1X set protocols dot1x traceoptions file size 10m set protocols dot1x traceoptions file files set protocols dot1x traceoptions flag all