Meraki

Community

MS250 uses dot1x authentication, unable to obtain accurate VLAN address

海绵宝宝
New here
a week ago
a week ago

MS250 uses dot1x authentication, unable to obtain accurate VLAN address

Configure the normal authorization network segment a and the low permission network segment b on the authentication server, and obtain different network segments through login success and failure. When the user connects to the network to obtain the b address, after successful authentication, it is still the b address, and needs to be unplugged and reconnected to refresh to the a address. The authentication server is Aruba's cppm, and it can be seen that the message matches the correct network segment. Is there any case or explanation for this problem

Labels:
0 Kudos
1 Reply 1
GIdenJoe
Kind of a big deal
Kind of a big deal
Friday
Friday

First make sure your radius server is correctly sending back all three AV pairs:

Tunnel-Medium-Type: Choose 802 for the Attribute value Commonly used for 802.1X.
Tunnel-Private-Group-ID: Choose String and enter the VLAN desired (ex. "500"). This string will specify the VLAN ID 500.
Tunnel-Type: Choose Attribute value Commonly used for 802.1X and select Virtual LANs (VLANs)

If so and changing VLAN after authentication there is a slight possibility your client is a bit stuck by not doing dhcp after authentication.  Depends on the software on the client.

If for some reason you allow for traffic on a guest VLAN before authentication then you do have a change in VLAN and your client should not be able to communicate on the old VLAN after having the port change to another VLAN.

So using packet capture please check if your authentication server is sending all 3 necessary AV pairs.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.