S5130S-28P-EI The AccessVLANID & the AuthorizationVLANID is not the same in the radius massage.
- 0 Followed
- 0Collected ,3362Browsed
Network Topology
Null
Problem Description
Process Analysis
We can clearly see the log about the authorization vlan from Radius server on the device as following:
%Jan 1 01:52:28:313 2013 H3C DOT1X/6/DOT1X_LOGIN_SUCC: -IfName=GigabitEthernet1/0/2-MACAddr=28d2-4491-4e77-AccessVLANID=150-AuthorizatiOnVLANID=160-Username=MAYCYBER\h3c1; User passed 802.1X authentication and came online.
And according to the packets capture from the device to the server:
We know the device feedback Radius with the accessVlanID which is the vlan of access clients before authentication, while without the AuthorizationVlanID.
So even the server authorize the vlan itself, it can only receive the access vlan anyway. The requirements from customer is receiving the
AuthorizationVLANID, which not support at the current software version.
Solution
Modified feature of version Release 6317
Information included in RADIUS accounting request packets
Feature change description:
As from this version, the device supports including the User-VLAN-ID attribute in RADIUS accounting request packets sent to the RADIUS server. This attribute is used to carry authorization VLAN information for 802.1X and MAC authentication users. The modification ensures that the logs output by the RADIUS server can include user authorization VLAN information.
If the RADIUS server assigns a VLAN ID or VLAN name as the authorization VLAN to a user, the device includes the server-assigned authorization VLAN in the User-VLAN-ID attribute.
If the RADIUS server assigns a group of VLANs in the authorization VLAN information to a user, the device includes a VLAN in the User-VLAN-ID attribute as described in Table 1.
Table 1 Including a VLAN in the User-VLAN-ID attribute of RADIUS accounting packets
