Ethernet Switching
Highlighted
Ethernet Switching

getting default vlan IP on 802.1x

Monday

Hi guys,

 

we've configured dynamic vlan 802.1X Authentication on radius. after a user gets authenticated, it gets default vlan IP instead of the IP associated for the vlan. DHCP IPs for designated vlan works already before the 802.1x was configured.  see config below and output  of "show dot1x interface detail"

 

Config:

set interfaces interface-range SOMI-VC1-M0-0-46 member-range ge-0/0/0 to ge-0/0/46
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching storm-control default

set interfaces irb unit 1 family inet address 192.168.190.253/24
set interfaces irb unit 189 family inet address 172.16.189.254/24

set protocols dot1x authenticator authentication-profile-name SOMI-AD
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 supplicant multiple
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 retries 2
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 transmit-period 2
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 mac-radius
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 guest-vlan Guest

set firewall family ethernet-switching filter Guest_Access term DC_Allow from ip-destination-address 172.16.x.7/32
set firewall family ethernet-switching filter Guest_Access term DC_Allow from ip-destination-address 172.16.x.9/32
set firewall family ethernet-switching filter Guest_Access term DC_Allow then accept
set firewall family ethernet-switching filter Guest_Access term Block_LAN from ip-destination-address 172.16.0.0/16
set firewall family ethernet-switching filter Guest_Access term Block_LAN then discard
set firewall family ethernet-switching filter Guest_Access term Allow_Internet from ip-destination-address 0.0.0.0/0
set firewall family ethernet-switching filter Guest_Access term Allow_Internet then accept

set access radius-server 172.16.x.9 secret "$9$M108LN-dw4oZ8XYoZjPfO1IRylX7-"
set access radius-server 172.16.x.9 source-address 172.16.x.254
set access profile SOMI-AD authentication-order radius
set access profile SOMI-AD radius accounting-server 172.16.x.9
set access profile SOMI-AD accounting order radius
set access profile SOMI-AD accounting accounting-stop-on-failure
set access profile SOMI-AD accounting accounting-stop-on-access-deny
set access profile SOMI-AD accounting send-acct-status-on-config-change

set vlans Miscellaneous vlan-id 189
set vlans Miscellaneous l3-interface irb.189
set vlans Miscellaneous forwarding-options dhcp-security
set vlans default vlan-id 1
set vlans default l3-interface irb.1

===========================

root> show dot1x interface ge-0/0/0 detail
ge-0/0/0.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 2
Quiet period: 60 seconds
Transmit period: 2 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: Guest

Number of connected supplicants: 1
Supplicant: SYNERGYOCEAN\shivram, 34:E6Smiley Very Happy7:3D:5F:92
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Radius
Authenticated VLAN: Directors
Session Reauth interval: 3600 seconds
Reauthentication due in 1715 seconds

1 REPLY 1
Ethernet Switching

Re: getting default vlan IP on 802.1x

[ Edited ]
Monday

Hi K1mffrey,

 

A few queries to help resolve this one:

a) Do you see this for all authenticated users? How many? If only a subset, worth checking anything common.

 

b) Believe you have the VLAN assigned dynamically via radius attribute here? Please ensure the switch has the "Directors" VLAN created.  You mentioned it worked without dot1x so assume it's there but at least the config snippet in the post didn't show it Smiley Happy.  

set vlans Directors vlan-id xxx


c) Please ensure the MAC address of the client is learnt on the right VLAN:

show ethernet-switching table vlan Directors
show ethernet-switching table vlan default

 

Note the supplicant MAC didn't read correctly on the post, so please check on it.

 

d) If the above doesn't help, then it's likely tending towards a software issue.  Please enable dot1x traces once and redo the authentication to try and troubleshoot:

set protocols dot1x traceoptions file DOT1X
set protocols dot1x traceoptions file size 10m
set protocols dot1x traceoptions file files
set protocols dot1x traceoptions flag all

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.