Wired Authentication via RADIUS for Dynamic VLAN tagging based on user logged in

Danjns
Here to help

Wired Authentication via RADIUS for Dynamic VLAN tagging based on user logged in

I'm trying to setup wired RADIUS Auth to dynamically assign a VLAN based off of the user (for content filtering). 

 

There may be a better way to do this...

 

I've managed to get the machine to authenticate but it won't let the machine access the server from the new VLAN... whenever the user logs in it cannot access the file server on the default infrastructure VLAN (1).

 

I've attached an access port policy from the switch.

 

You'll probably need more info, but I don't know what you need to know... ask away!

13 Replies 13
Danjns
Here to help

Trying to make it so that the shared PCs can be used by staff and students and have a separate policy assigned based on the user logged in. (more relaxed for staff).
NolanHerring
Kind of a big deal

Thanks for the reply. I've gone through all of these and it still isn't working... it's almost as if the access port is stopping the client machine from being able to talk to the default VLAN... it's my first time trying to get this to work...
NolanHerring
Kind of a big deal

Can you provide a screenshot on how you have one of the ports configured, and your access policy setup
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Also, you using NPS or ISE or something else?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Screenshot 2019-08-15 19.34.57.pngScreenshot 2019-08-15 19.35.34.png

when I login as a student user the machine is placed in VLAN 40 (student VLAN)
NolanHerring
Kind of a big deal

How do you have your radius side setup?
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

Does the switch report the user is being placed in the correct VLAN?  If so - that is the end of that part of the puzzle.

 

The next question is what is doing the inter-vlan routing for the two VLANs?  Do they they have any access rules limiting the traffic?

it doesn't report there user... it reports the machine name but it is in the correct VLAN...

 

I haven't set any explicit rules to block anything, I wasn't;t sure if something was blocked automatically or how to stop it from being blocked...

You need to enable Change of authorization (CoA) in order to be placed in the right VLAN.

ww
Kind of a big deal
Kind of a big deal

the new vlan has a Layer3 interface?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels