1

I'm attempting to get Dynamic VLAN Assignment working on a number of Dell PowerConnect 3524 switches.

I've got a two RADIUS servers, both of which I've proved to be working using radtest on Linux.

One of the servers (Priority 0) is hosted on the network management VLAN (TekRADIUS running on Windows), and the second (Priority 1) is located on another VLAN (FreeRADIUS on Linux).

I can't seem to convince the switches to actually perform an authentication against either of the RADIUS servers however.

Network Comms between the switch and RADIUS servers has been proven using ping from the switch CLI.

My switch configuration is as follows, can anyone spot anything I've missed?

interface range ethernet all
spanning-tree portfast
exit
interface range ethernet e(1-24)
dot1x multiple-hosts authentication
exit
interface ethernet g1
switchport mode trunk
exit
vlan database
vlan 2-5,9-11
exit
interface ethernet g1
switchport trunk allowed vlan add 2
exit
interface ethernet g1
switchport trunk allowed vlan add 3
exit
interface ethernet g1
switchport trunk allowed vlan add 4
exit
interface ethernet g1
switchport trunk allowed vlan add 5
exit
interface ethernet g1
switchport trunk allowed vlan add 9
exit
interface ethernet g1
switchport trunk allowed vlan add 10
exit
interface ethernet g1
switchport trunk allowed vlan add 11
exit
interface vlan 2
name netman
exit
interface vlan 3
name lt-sys
exit
interface vlan 4
name pub-sys
exit
interface vlan 5
name lt-clients
exit
interface vlan 9
name lt-voip
exit
interface vlan 10
name lt-print
exit
interface vlan 11
name lt-wifi
exit
dot1x system-auth-control
interface range ethernet e(1-24)
dot1x radius-attributes vlan
exit
interface range ethernet e(1-24)
dot1x port-control auto
exit
interface vlan 2
ip address 10.58.2.7 255.255.255.0 
exit
hostname sw-3-1
radius-server host 10.58.2.128 key switch usage dot1.x 
radius-server host 10.58.3.132 key switch priority 1 usage dot1.x 
aaa authentication dot1x default radius 
username bryan password password-hash-was-here level 15 encrypted
ip domain-name liketechnologies.local
ip name-server  10.58.3.32 10.58.3.33
Bryan
  • 7,538
  • 15
  • 68
  • 92

1 Answers1

1

I've managed to resolve this now (or mostly). The ports are being correctly assigned to VLANs as a result of RADIUS authentication, however for some reason after the device gets assigned an IP address from our DHCP server, no other traffic is forwarded.

I've probably just got my VLAN routing wrong, or I'm not correctly passing VLAN traffic on the trunk ports.

For anyone else finding this via google my (mostly) working config is as follow:

interface range ethernet all
spanning-tree portfast
exit
interface range ethernet e(1-24)
dot1x multiple-hosts authentication
exit
interface range ethernet g(1-4)
switchport mode trunk
exit
vlan database
vlan 2-6,9-11
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 2
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 3
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 4
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 5
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 6
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 9
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 10
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 11
exit
interface vlan 2
name netman
exit
interface vlan 3
name lt-sys
exit
interface vlan 4
name pub-sys
exit
interface vlan 5
name lt-clients
exit
interface vlan 6
name guest
exit
interface vlan 9
name lt-voip
exit
interface vlan 10
name lt-print
exit
interface vlan 11
name lt-wifi
exit
interface vlan 6
dot1x guest-vlan
exit
dot1x system-auth-control
interface range ethernet e(1-24)
dot1x re-authentication
exit
interface range ethernet e(1-24)
dot1x max-req 3
exit
interface range ethernet e(1-24)
dot1x mac-authentication mac-and-802.1x
exit
interface range ethernet e(1-24)
dot1x radius-attributes vlan
exit
interface range ethernet e(1-24)
dot1x port-control auto
exit
interface range ethernet e(1-24)
dot1x guest-vlan enable 
exit
interface vlan 2
ip address 10.58.2.99 255.255.255.0 
exit
hostname sw-1-2
radius-server host 10.58.2.128 key switch priority 2 
radius-server host 10.58.3.132 key switch priority 1 
aaa authentication dot1x default radius 
username bryan password password-hash-was-here level 15 encrypted
clock source sntp
sntp server 10.58.3.128 poll
ip domain-name liketechnologies.local
ip name-server  10.58.3.32 10.58.3.33
Bryan
  • 7,538
  • 15
  • 68
  • 92
  • 1
    The only thing I notice off the top of my head is you should have your trunk ports configured as 'portfast' – TrueDuality Oct 01 '10 at 14:23
  • Make sure you aren't in trunk mode, or else it will require tagged packets (unless you're on the native vlan) – Brain2000 Dec 23 '15 at 21:49