802.1x problem

[NE77]

Hi,

I have configure the 802.1x with mac auth on ERS 4548, not issue with the avaya ip phone but my pc is not able to get the correct vlan (always stay on guest vlan, my pc is connect to avaya ip phone).

below is the switch EAPOL setting.

4548GT-PWR HW:12       FW:5.3.0.3   SW:v5.7.3.031

radius server host 192.168.10.10
! radius server host key ********
radius accounting interim-updates enable
radius accounting interim-updates interval 60
radius dynamic-server client 192.168.10.10
! radius dynamic-server client 192.168.10.10 secret ****************
! radius dynamic-server client 192.168.10.10 enable
radius dynamic-server client 192.168.10.10 process-change-of-auth-requests
radius dynamic-server client 192.168.10.10 process-disconnect-requests

eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost eap-packet-mode unicast
eapol multihost multivlan enable

interface Ethernet ALL
eapol multihost port 1 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2
radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan
eap-packet-mode unicast mac-max 2
eapol multihost port 2 enable allow-non-eap-enable non-eap-mac-max 3 radius-non-eap-enable
use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2
eapol multihost port 3-48 mac-max 2
exit
no eapol multihost non-eap-pwd-fmt ip-addr
no eapol multihost non-eap-pwd-fmt port-number
interface Ethernet ALL
eapol port 1-2 status auto
interface Ethernet ALL
eapol port 1-2 radius-dynamic-server enable

is there any missing in the configuration?

Thanks.


eapol enable

[NE77]

sh eapol multihost non-eap-mac status

Port Client MAC Address State                          Vid  Pri
---- ------------------ ------------------------------ ---- ---
1    XX:XX:XX:XX:XX:XX  Authenticated By RADIUS        100  0 

the vid for the pc should be 10 (user vlan) not 100 (guest vlan) after the authentication. 

Any help on this would much appreciated. Thank you

[MatzeKS]

Hi NE77,

are you assigning both neap-vlan (user/guest) via radius or is there an static port/vlan assigment with simple allowing those (known) MAC-Addresses?

Normally the accessport is set to "untagAll" and all radius assigned vlans will be provisioned untagged in parallel with no need of tagging/untagPVIDonly/PVID.

Which type of Radius do you use? Identity Engines from Avaya or any other?

[NE77]

Hi NE77,

are you assigning both neap-vlan (user/guest) via radius or is there an static port/vlan assigment with simple allowing those (known) MAC-Addresses?

Normally the accessport is set to "untagAll" and all radius assigned vlans will be provisioned untagged in parallel with no need of tagging/untagPVIDonly/PVID.

Which type of Radius do you use? Identity Engines from Avaya or any other?

Hi MatzeKS,

Yes, i did assigning both vlan via radius. I'm using  ClearPass policy manager 6.6.2.86786 on CP-HW-500 platform.

Below is the switch VLAN setting.

vlan create 10,100 type port 1
vlan name 10 "User"
vlan name 100 "Guest"
vlan ports 1-46 tagging unTagPvidOnly
vlan ports 47-48 tagging tagAll
vlan configcontrol flexible
vlan members 1 NONE
vlan members 10,100 ALL
vlan ports 1-46 pvid 10
no auto-pvid

Thanks you.

[martaz]

Hi NE77

I am also facing the same issue. Just wondering did you manage to have this fixed? I was told it could be due to the Radius COA. Do you have the Avaya/nortel Radius COA directory so the Clearpass can issue the correct parameter for the termination of session?