No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Dynamic Vlan assigned from Radius, but authenticated client always got Vlan which was configured in „port hybrid pvid vlan X”

Publication Date:  2017-08-25 Views:  253 Downloads:  0
Issue Description

Fault symptom: The customer wanted to use dynamic Vlan assigned from Radius server. They had certificate on PC and used access switch Huawei  S5720-28X-PWR-SI-AC  and a server radius in their topology.So far, they used switch Cisco and connected to them workstation, PC after sucesfully authenticated 802.1x assign properly vlan (Which was defined in Radius Server).

After some tests (In unified and common mode) dynamic Vlan didn’t work in Huawei. Vlan should be assigned from Radius, but authenticated client always got Vlan which was configured in „port hybrid pvid vlan X”

Version information: V200R010C00SPC600

Networking topology:


Configuration script: 

1.       Configuration on port Cisco(that the customer said it's working):

interface FastEthernet0/1

switchport mode access

switchport voice vlan 11

authentication event fail action authorize vlan 13

authentication event no-response action authorize vlan 12

authentication host-mode multi-domain

authentication port-control auto

dot1x pae authenticator

dot1x timeout tx-period 3

spanning-tree portfast

 Configuration on port Huawei(that the customer said it's not working):

interface GigabitEthernet0/0/2

 port link-type hybrid

 voice-vlan 11 enable

 voice-vlan legacy enable

 port hybrid pvid vlan 10

 port hybrid tagged vlan 11

 port hybrid untagged vlan 10

 stp edged-port enable

 authentication-profile dot1x_authen_profile

Operation scenario: The customer also tried port link-type access  without defined pvid vlan but still not get properly dynamic vlan from radius. PC authenticated gets vlan 1 which is default pvid vlan. 

Radius was configured as below, correctly : 

Solution

Advised that the delivered VLAN takes precedence over the VLAN configured on the interface. That is, the delivered VLAN takes effect after the authentication succeeds, and the configured VLAN takes effect after the user goes offline. The following RADIUS attributes are used for dynamic VLAN delivery:

(064) Tunnel-Type (It must be set to VLAN or 13.)

(065) Tunnel-Medium-Type (It must be set to 802 or 6.)

(081) Tunnel-Private-Group-ID (It can be a VLAN ID or VLAN name.)

To ensure that the RADIUS server delivers VLAN information correctly, all the three RADIUS attributes must be used. In addition, the Tunnel-Type and Tunnel-Medium-Type attributes must be set to the specified values.

Also, try with this configuration on the access port:
[SwitchA] interface gigabitethernet 0/0/2  

[SwitchA-GigabitEthernet0/0/1] port link-type hybrid

[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10

[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 10

The customer did some tests on PC(with running services Wired AutoConfig (service) and from valid certificate) and they had empty log in server Radius.

So there was no communication with server Radius, but the user was authenticated.  

[HUAWEI]display access-user interface GigabitEthernet 0/0/2

------------------------------------------------------------------------------

UserID Username                IP address       MAC            Status

------------------------------------------------------------------------------

19     host/KLI-DHABRAT2.SS... 192.168.10.53    f0de-f124-2d49 Success         //PC get’s IP from VLAN 10, but should get from vlan 13.

After those tests I noticed that : 

1) VLAN 13 was not configured in system-view, and he need to add it to the batch and try again :


2) We was using the default authentication-scheme instead one that the desired configuration. The users were authenticated locally.



After adding vlan 13 (vlan batch 13), he sucessfully got vlan defined in Radius.

END