Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Can't reach the Radius Server

Nameesh NR
Advisor

Can't reach the Radius Server

Hi,

I am facing this problem in assigning the IP address for an "Unauthorized 802.1x User" who is logging in. The network setup :

1> DHCP Server and IAS Radius Server are
configured on a system with IP ie.,
x.x.4.20.
DHCP Scope configured as :
auth-clients -> x.x.3.100 - x.x.3.199
unauth-clients -> x.x.2.100 - x.x.2.199
2> Configured an 802.1x port on 5304xl device
And set the following VLAN port-access
properties for port :
auth-vlan -> 3
unauth-vlan -> 2
3> The 5304xl device is not directly connected
to the DHCP server but has few other
devices in between ie., 28xx and 5304xl.
4> The devices connected to DHCP server are
ie., 5304xl is on VLAN 4, VLAN 3 and VLAN 2.
IP routing is enabled on the 5304xl device.

I authenticate an 802.1x user to the port
via the 5304xl. It get authenticated and it
aquires the IP address from the auth-clients
range i.e..,

x.x.3.100

Now, when I try authenticating an unauth user.
The user is "Unauthenticated" as the Radius
Server :

-> rejects the user
-> user is now put into unauth VLAN ie., "2"

But, the DHCP Server does not assign the
IP Address from the "unauth-clients" range.

And in the 5304xl (auth-switch) logs, it tells
that :

"Can't reach the Radius Server x.x.4.20".

I want to verify that the my DHCP server
assigns IP from the unauth-clients range for
or "Unauthorized Users".

Please let me know the solution to this problem.

Thanks & Regards,
Nameesh.

Nothing is too small to know, and nothing is too big to attempt.
5 REPLIES
Matt Hobbs
Honored Contributor

Re: Can't reach the Radius Server

If you are using E.10.37 there is a problem with that version firmware and 802.1x, try either downgrading the firmware, or contact HP support to obtain newer firmware that fixes this issue.
Mohieddin Kharnoub
Honored Contributor

Re: Can't reach the Radius Server

Hi

Can you try this, untag one port to the unauth-vlan which is (2), then connect a PC and see if it can get an IP from DHCP server whithin the defined scope for this Vlan.
If its ok, then it maybe as mentioned one the firmware issues.
If its not ok, then you have to check back the Routing between Vlans, and check that uplinks that carries all Vlan traffic along its path between switches, and on DHCP Scope, router attribute points to Vlan2 ip address on the Routing Switch.

Good Luck !!!


Science for Everyone
Nameesh NR
Advisor

Re: Can't reach the Radius Server

Hi Mohieddin,

Thanks for giving of retrieving IP address
for the PC from DHCP, by directly connecting it to the "Untag port of VLAN2".

Infact, the switch I was using for authentication, was an edge switch that had multiple switches in between itself and the core.
-> Initially I tried connected PC to "Untag
port on Core Switch". It did receive IP.
-> Then connected the PC to the "Untag port
of switch connected to the Core Switch".
It did get the IP.
-> When I did the same for the next switch,
it failed.

Then I realized that the "Unauth VLAN 2"
attributes were not being passed. Then, I
"tagged" the connecting ports between the
switches to "Unauth VLAN".

This solved the problem.

I noticed that sometimes if the user is not authenticated, the PC gets the IP :
192.168.0.2

How does it do that ? When we try and refresh the IP, the correct IP gets assigned from DHCP server.

Thanks,
Nameesh.

Nothing is too small to know, and nothing is too big to attempt.
Mohieddin Kharnoub
Honored Contributor

Re: Can't reach the Radius Server

Hi

Good to hear that your problems solved.
For IP leasing, when the user failed to Authenticate, then (by default), the client will receive a 10 seconds lease from the address pool of 192.168.0.0 , thats why your client got 192.168.0.2.
This is a separate DHCP provided by the switch to help in Authentication Process.

Good luck !!!
Science for Everyone
Nameesh NR
Advisor

Re: Can't reach the Radius Server

I worked with the suggestion that was given. And then I was able to get the problem solved. Thought the solution given was not 100%. It was nearly 50% of what
I expected.
Nothing is too small to know, and nothing is too big to attempt.