Unsolved
This post is more than 5 years old
9 Posts
0
37409
powerconnect 54xx 62xx + freeradius + 802.1x + dva = bug ?
Hello
I try to setup Dynamic VLAN Assignment, Client passed the authentication but he didn't get any vlan. I see packet from freeradius to pc6248 with vlan id to set but switch don't doing this. On console i got:
radius_api.c(1058) 654 %% RADIUS: radiusAccountingNamedStart(): Could not get atleast one named Server'
UNKN[126427680]: dot1x_radius.c(1128) 655 %% dot1xRadiusAccountingStart: error calling radiusAccountingStart, ifIndex=10
I setup this on dlink switches ( des-3026) and it work correct, so i think there is some bug in Powerconnect software ? someone has working powerconect with freeradius with Dynamic VLAN Assignment ?
thx for any clue
popo
my users file:
test2 Cleartext-Password := "test2"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "0058",
on pc5424 i have:
8021x_test# sh running-config
interface range ethernet g(10,12)
spanning-tree portfast
interface ethernet g10
switchport mode general
vlan database
vlan 7,57-60,107
dot1x system-auth-control
interface range ethernet g(10,12)
dot1x re-authentication
interface range ethernet g(10,12)
dot1x port-control auto
hostname 8021x_test
radius-server host 10.1.1.245 key secretpass
aaa authentication dot1x default radius
anberry
7 Posts
0
September 29th, 2010 15:00
So, I think this particular problem is caused by the fact that this version of code specifically defaults to iSCSI mode. Thus, the following is documented within the release notes:
System mode The PowerConnect 5424/5448 can operate in one of 2 system modes:
1. ACL & iSCSI; this is the default system mode
2. ACL & DVA
To switch between the modes a user should either use the CLI command ‘
set system dva [active /inactive] iscsi [active /inactive]’ or use the web UI:
popo1970
9 Posts
0
September 28th, 2010 02:00
I changed eap-peap to eap-md5
radiusd -X told me:
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
[eap] Freeing handler
++[eap] returns ok
Login OK: [felek] (from client client1 port 10 cli 00:0a:e4:ba:eb:4a)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 209 to 10.138.1.146 port 49152
Service-Type = Framed-User
Framed-MTU = 1514
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "58"
EAP-Message = 0x03020004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "felek"
and debug dot1x :
<191> APR 26 02:58:49 10.138.1.146-1 DOT1X[126427808]: dot1x_debug.c(1326) 1295 %% Pkt RX - Intf: 1/0/10(10),SrcMac: 00:0a:e4:ba:eb:4a DestMac: 01:80:c2:00:00:03 Type: EAP Packet Code: EAP Response Id:1
<191> APR 26 02:58:49 10.138.1.146-1 DOT1X[126427808]: dot1x_debug.c(1332) 1296 %% Pkt TX - Intf: 1/0/10(10),SrcMac: 00:18:8b:a0:02:47 DestMac: 00:0a:e4:ba:eb:4a Type: EAP Packet Code: EAP Request Id:2
<191> APR 26 02:58:49 10.138.1.146-1 DOT1X[126427808]: dot1x_debug.c(1326) 1297 %% Pkt RX - Intf: 1/0/10(10),SrcMac: 00:0a:e4:ba:eb:4a DestMac: 01:80:c2:00:00:03 Type: EAP Packet Code: EAP Response Id:2
<191> APR 26 02:58:49 10.138.1.146-1 DOT1X[126427808]: dot1x_debug.c(1332) 1298 %% Pkt TX - Intf: 1/0/10(10),SrcMac: 00:18:8b:a0:02:47 DestMac: 00:0a:e4:ba:eb:4a Type: EAP Packet Code: EAP Success Id:2
so, everything looks fine but dynamic vlan assigment don't work :(
anberry
7 Posts
0
September 28th, 2010 10:00
So, the PowerConnect 54xx series must have the port command "dot1x radius-attributes vlan" in order to accept VLAN assignment on the switch.
popo1970
9 Posts
1
September 29th, 2010 01:00
i don't see this options in:
SW version 2.0.0.41 ( date 23-Sep-2009 time 15:48:40 )
Boot version 2.0.0.0 ( date 12-Nov-2008 time 12:56:52 )
8021x_test(config)# dot1x radius-attributes vlan
% Unrecognized command
8021x_test(config)# interface ethernet g10
8021x_test(config-if)# dot1x radius-attributes vlan
% Unrecognized command
i found this options in user guide but i didn't in cli guide...