Hi,
We are using MAC-based RADIUS authentication to set ports in the correct VLAN for our different clients. I wrongly assumed I could use the same code I used on our 5120's on the new 5130 switch.
I get a successful authentication, but the port does not set up the assigned VLAN, and display mac-authentication indicates it is continuously reauthenticating. Authentication is successful according to logs on my RADIUS server though, so I am uncertain what is wrong.
Here is config from 5130, my original config from the 5120 is below. I am hoping someone can show me a working config, or otherwise point me to were I went wrong in my config.
radius scheme system
primary authentication 1.2.3.4 key cipher xxxxxxx
secondary authentication 5.6.7.8 key cipher xxxxxxxx
key authentication cipher xxxxxx
user-name-format without-domain
nas-ip 10.10.10.11
#
domain system
authentication lan-access radius-scheme system
authorization lan-access radius-scheme system
#
domain default enable system
interface GigabitEthernet2/0/17
description Test-port for vlan240 windows machine
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 230 untagged
port hybrid pvid vlan 230
mac-vlan enable
broadcast-suppression pps 3000
multicast-suppression pps 3000
stp edged-port
lldp admin-status disable
qos trust dscp
mac-authentication
mac-authentication guest-vlan 232
#
[5130-GigabitEthernet2/0/17]dis mac-authentication int g 2/0/17
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Authentication domain : system
Max MAC-auth users : 4294967295 per slot
Online MAC-auth users : 0
Silent MAC users:
MAC address VLAN ID From port Port index
GigabitEthernet2/0/17 is link-up
MAC authentication : Enabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : 232
Critical VLAN : Not configured
Host mode : Single VLAN
Max online users : 4294967295
Authentication attempts : successful 19, failed 0
Current online users : 0
MAC address Auth state
[5130-GigabitEthernet2/0/17]dis mac-au
The corresponding working config from a 5120 looks like this: ( There are some small differences, but I am deeming them extremely unlikely to have the effect I am seeing. )
radius scheme system
primary authentication 1.2.3.4 key cipher xxxxxxx
primary accounting 127.0.0.1 1646
secondary authentication 5.6.7.8 key cipher xxxxxxxx
key authentication cipher xxxxxx
user-name-format without-domain
nas-ip 10.11.12.13
#
domain system
authentication lan-access radius-scheme system
authorization lan-access radius-scheme system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
#
interface GigabitEthernet1/0/15
port link-type hybrid
port hybrid vlan 1 untagged
mac-vlan enable
broadcast-suppression pps 3000
multicast-suppression pps 3000
undo jumboframe enable
stp edged-port enable
mac-authentication
mac-authentication guest-vlan 1234
lldp admin-status disable
qos trust dscp
#
<5120_A2>dis mac-authentication
MAC address authentication is enabled.
User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 19
Current domain is system
Silent MAC User info:
MAC Addr From Port Port Index
GigabitEthernet1/0/26 is link-up
MAC address authentication is enabled
Authenticate success: 2, failed: 0
Max number of on-line users is 256
Current online user number is 1
MAC Addr Authenticate State Auth Index
abcd-abcd-abcd MAC_AUTHENTICATOR_SUCCESS 4
GigabitEthernet1/0/27 is link-down
#5130#MAC-Authentication#VLAN