daniel_ling_i7iy231l2j8lo's profile

12 Messages

 • 

292 Points

Tue, Apr 20, 2021 6:18 AM

802.1x configuration

Hello everyone, i am trying to configure 802.1x authentication with icx 7150. We have done the following configuration and test client has successfully authenticated with Cloudpath as our Radius Server but somehow after client is authenticated, client is not being move to the correct Vlan. Not sure if we have miss out any configuration, we tried looking at the example that was given on the configuration guide but dosen't seems to help .

Below is our configuration, our firmware is 80.0.95ba thanks in advance! 

Current configuration:

!

ver 08.0.95baT211

!

stack unit 1

  module 1 icx7150-48zp-poe-port-management-module

  module 2 icx7150-8-sfp-plus-port-80g-module

  stack-port 1/2/1

  stack-port 1/2/3

!

!

!

lag "UPLINK TO FW" dynamic id 1

 ports ethe 1/2/7 to 1/2/8 

!

!

!

vlan 1 name DEFAULT-VLAN by port

 no untagged ethe 1/1/20 

!

vlan 2 name "OPEN Net" by port

 tagged ethe 1/1/3 to 1/1/10 lag 1 

!

vlan 3 name onboarding by port                                    

 tagged ethe 1/1/3 to 1/1/10 lag 1                                

!                                                                 

vlan 10 name "NETWORK PRINTER" by port                            

 tagged lag 1                                                     

!                                                                 

vlan 11 name TAFEP/ADVISORY by port                               

 tagged lag 1                                                     

!

vlan 12 name "TADM/ALL STAFF" by port

 tagged lag 1 

!

vlan 13 name ACCOUNT by port

 tagged lag 1 

!

vlan 20 name ADMIN by port

 tagged lag 1 

 untagged ethe 1/1/19 

!

vlan 30 name "VIP LAN" by port

 tagged lag 1 

!

vlan 34 name Kiosk by port

 tagged lag 1 

!

vlan 50 name "WIFI TAL STAFF" by port

 tagged ethe 1/1/3 to 1/1/10 lag 1 

!

vlan 51 name "WIFI MOMSC STAFF" by port

 tagged lag 1 

!                                                                 

vlan 60 name "WIFI TAL VIP" by port

 tagged ethe 1/1/3 to 1/1/10 lag 1 

!

vlan 61 name "MOMSC LAN" by port

 tagged lag 1 

!

vlan 70 name "WIFI TAL GUEST" by port

 tagged ethe 1/1/3 to 1/1/10 lag 1 

!

vlan 71 name "WIFI MOMSC GUEST" by port

 tagged lag 1 

!

vlan 100 name MANAGEMENT by port

 tagged lag 1 

 untagged ethe 1/1/1 to 1/1/10 

!

vlan 101 name MOMSC-MGMT by port

 tagged lag 1 

!

vlan 150 name BMS/EMS by port

 tagged lag 1 

!

vlan 160 name SECURITY by port                                    

 tagged lag 1 

!

vlan 200 name "SERVER MANAGEMENT" by port

 tagged lag 1 

!

vlan 201 name "SERVER APPLICATION" by port

 tagged lag 1 

!

vlan 202 name "SERVER DATABASE" by port

 tagged lag 1 

!

vlan 300 name VOICE by port

 tagged lag 1 

!

vlan 301 name "IP PHONE" by port

 tagged lag 1 

!

!

!

!

!

!

!                                                                 

!

!

!

!

authentication

  auth-default-vlan 20

  restricted-vlan 3

  auth-fail-action restricted-vlan

  dot1x enable

  dot1x enable ethe 1/1/20 

  dot1x port-control auto ethe 1/1/20 

  dot1x timeout tx-period 5

!

!

!

optical-monitor

aaa authentication web-server default local

aaa authentication dot1x default radius

aaa authentication login default local

aaa authorization coa enable

aaa accounting dot1x default start-stop radius

boot sys fl pri

enable aaa console                                                

hostname TAL-L5-RSW

ip address 10.0.100.65 255.255.255.0 dynamic

ip dns server-address 10.0.200.88

ip default-gateway 10.0.100.254

!

no telnet server

username admin password .....

!

!

radius-client coa host 10.0.100.104 key 2 $RyvygVYvyvYVYV&&**(Y=

radius-server host 10.0.100.104 auth-port 1812 acct-port 1913 default key 2 $RyvygVYvyvYVYV&&**(Y= dot1x

radius-server accounting interim-updates

radius-server accounting interim-interval 5

!

!

no web-management http

!

!

manager active-list 10.0.100.102 10.0.100.101 10.0.100.254

!

manager port-list 987

!                                                                 

!

interface ethernet 1/1/1

 port-name SMARTZONE

!

interface ethernet 1/1/2

 port-name SMARTZONE

!

interface ethernet 1/1/3

 port-name AP01

!

interface ethernet 1/1/4

 port-name AP02

!

interface ethernet 1/1/5

 port-name AP03

!

interface ethernet 1/1/6

 port-name AP04

!

interface ethernet 1/1/7

 port-name AP05

!

interface ethernet 1/1/8                                          

 port-name AP06

!

interface ethernet 1/1/9

 port-name AP21

!

interface ethernet 1/1/10

 port-name AP22

!

interface ethernet 1/1/11

 disable

!

interface ethernet 1/1/12

 disable

!

interface ethernet 1/1/13

 disable

!

interface ethernet 1/1/14

 disable

!

interface ethernet 1/1/15

 disable

!                                                                 

interface ethernet 1/1/16

 disable

!

interface ethernet 1/1/17

 disable

!

interface ethernet 1/1/18

 disable

!

interface ethernet 1/1/20

 trust dscp 

!

interface ethernet 1/1/21

 disable

!

interface ethernet 1/1/22

 disable

!

interface ethernet 1/1/23

 disable

!

interface ethernet 1/1/24

 disable                                                          

!

interface ethernet 1/1/25

 disable

!

interface ethernet 1/1/26

 disable

!

interface ethernet 1/1/27

 disable

!

interface ethernet 1/1/28

 disable

!

interface ethernet 1/1/29

 disable

!

interface ethernet 1/1/30

 disable

!

interface ethernet 1/1/31

 disable

!

interface ethernet 1/1/32                                         

 disable

!

interface ethernet 1/1/33

 disable

!

interface ethernet 1/1/34

 disable

!

interface ethernet 1/1/35

 disable

!

interface ethernet 1/1/36

 disable

!

interface ethernet 1/1/37

 disable

!

interface ethernet 1/1/38

 disable

!

interface ethernet 1/1/39

 disable

!                                                                 

interface ethernet 1/1/40

 disable

!

interface ethernet 1/1/41

 disable

!

interface ethernet 1/1/42

 disable

!

interface ethernet 1/1/43

 disable

!

interface ethernet 1/1/44

 disable

!

interface ethernet 1/1/45

 disable

!

interface ethernet 1/1/46

 disable

!

interface ethernet 1/1/47

 disable                                                          

!

interface ethernet 1/1/48

 disable

!

interface ethernet 1/2/2

 speed-duplex 1000-full

!

interface ethernet 1/2/3

 no optical-monitor

!

interface ethernet 1/2/4

 speed-duplex 1000-full

!

interface ethernet 1/2/5

 speed-duplex 1000-full

!

interface lag 1

 speed-duplex 1000-full

!

!

!

ip access-list extended acl1

 sequence 10 permit ip any any                                    

 !

!

!

!

!

!

!

!

!

!

!

end

 

Official Rep

 • 

210 Messages

 • 

3.1K Points

8 m ago

Hi Daniel,

Are you trying to deploy 802.1x authentication with dynamic vlan assignment ?

Usually when authentication succeeds, the client is moved to the vlan returned by the radius server. 

When the radius server does not return any VLAN information upon authentication, the client is authenticated and remains in the auth-default VLAN.

Pls refer the below link for more info and use cases.

Configuring the RADIUS server to support dynamic VLAN assignment for authentication (commscope.com)

Thanks

Jijo 

(edited)

Important Announcement