我正在尝试让动态 VLAN 分配在多个 Dell PowerConnect 3524 交换机上运行。
我有两台 RADIUS 服务器,我已证明它们均可在 Linux 上使用 radtest 运行。
其中一台服务器(优先级 0)托管在网络管理 VLAN(在 Windows 上运行的 TekRADIUS)上,第二台服务器(优先级 1)位于另一个 VLAN(Linux 上的 FreeRADIUS)上。
然而我似乎无法说服交换机真正地对任何一个 RADIUS 服务器执行身份验证。
已使用交换机 CLI 中的 ping 验证了交换机和 RADIUS 服务器之间的网络通信。
我的交换机配置如下,有人能发现我遗漏了什么吗?
interface range ethernet all
spanning-tree portfast
exit
interface range ethernet e(1-24)
dot1x multiple-hosts authentication
exit
interface ethernet g1
switchport mode trunk
exit
vlan database
vlan 2-5,9-11
exit
interface ethernet g1
switchport trunk allowed vlan add 2
exit
interface ethernet g1
switchport trunk allowed vlan add 3
exit
interface ethernet g1
switchport trunk allowed vlan add 4
exit
interface ethernet g1
switchport trunk allowed vlan add 5
exit
interface ethernet g1
switchport trunk allowed vlan add 9
exit
interface ethernet g1
switchport trunk allowed vlan add 10
exit
interface ethernet g1
switchport trunk allowed vlan add 11
exit
interface vlan 2
name netman
exit
interface vlan 3
name lt-sys
exit
interface vlan 4
name pub-sys
exit
interface vlan 5
name lt-clients
exit
interface vlan 9
name lt-voip
exit
interface vlan 10
name lt-print
exit
interface vlan 11
name lt-wifi
exit
dot1x system-auth-control
interface range ethernet e(1-24)
dot1x radius-attributes vlan
exit
interface range ethernet e(1-24)
dot1x port-control auto
exit
interface vlan 2
ip address 10.58.2.7 255.255.255.0
exit
hostname sw-3-1
radius-server host 10.58.2.128 key switch usage dot1.x
radius-server host 10.58.3.132 key switch priority 1 usage dot1.x
aaa authentication dot1x default radius
username bryan password password-hash-was-here level 15 encrypted
ip domain-name liketechnologies.local
ip name-server 10.58.3.32 10.58.3.33
答案1
我现在设法解决了这个问题(或大部分)。由于 RADIUS 身份验证,端口被正确分配给 VLAN,但是由于某种原因,在设备从我们的 DHCP 服务器分配 IP 地址后,没有其他流量被转发。
我的 VLAN 路由可能错误,或者我没有在中继端口上正确传递 VLAN 流量。
对于其他通过谷歌找到此信息的人来说,我的(大部分)工作配置如下:
interface range ethernet all
spanning-tree portfast
exit
interface range ethernet e(1-24)
dot1x multiple-hosts authentication
exit
interface range ethernet g(1-4)
switchport mode trunk
exit
vlan database
vlan 2-6,9-11
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 2
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 3
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 4
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 5
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 6
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 9
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 10
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 11
exit
interface vlan 2
name netman
exit
interface vlan 3
name lt-sys
exit
interface vlan 4
name pub-sys
exit
interface vlan 5
name lt-clients
exit
interface vlan 6
name guest
exit
interface vlan 9
name lt-voip
exit
interface vlan 10
name lt-print
exit
interface vlan 11
name lt-wifi
exit
interface vlan 6
dot1x guest-vlan
exit
dot1x system-auth-control
interface range ethernet e(1-24)
dot1x re-authentication
exit
interface range ethernet e(1-24)
dot1x max-req 3
exit
interface range ethernet e(1-24)
dot1x mac-authentication mac-and-802.1x
exit
interface range ethernet e(1-24)
dot1x radius-attributes vlan
exit
interface range ethernet e(1-24)
dot1x port-control auto
exit
interface range ethernet e(1-24)
dot1x guest-vlan enable
exit
interface vlan 2
ip address 10.58.2.99 255.255.255.0
exit
hostname sw-1-2
radius-server host 10.58.2.128 key switch priority 2
radius-server host 10.58.3.132 key switch priority 1
aaa authentication dot1x default radius
username bryan password password-hash-was-here level 15 encrypted
clock source sntp
sntp server 10.58.3.128 poll
ip domain-name liketechnologies.local
ip name-server 10.58.3.32 10.58.3.33