Networking

需要幫助讓動態 VLAN 分配與 RADIUS 和 Dell PowerConnect 3524 配合使用

  • September 8, 2010

我試圖讓動態 VLAN 分配在許多 Dell PowerConnect 3524 交換機上工作。

我有兩台 RADIUS 伺服器,我已經證明這兩台伺服器都在 Linux 上使用 radtest。

其中一台伺服器(優先級 0)託管在網路管理 VLAN(在 Windows 上執行的 TekRADIUS)上,第二台(優先級 1)位於另一個 VLAN(Linux 上的 FreeRADIUS)上。

但是,我似乎無法說服交換機實際對任一 RADIUS 伺服器執行身份驗證。

交換機和 RADIUS 伺服器之間的網路通信已使用交換機 CLI 中的 ping 進行驗證。

我的交換機配置如下,誰能發現我錯過的任何東西?

interface range ethernet all
spanning-tree portfast
exit
interface range ethernet e(1-24)
dot1x multiple-hosts authentication
exit
interface ethernet g1
switchport mode trunk
exit
vlan database
vlan 2-5,9-11
exit
interface ethernet g1
switchport trunk allowed vlan add 2
exit
interface ethernet g1
switchport trunk allowed vlan add 3
exit
interface ethernet g1
switchport trunk allowed vlan add 4
exit
interface ethernet g1
switchport trunk allowed vlan add 5
exit
interface ethernet g1
switchport trunk allowed vlan add 9
exit
interface ethernet g1
switchport trunk allowed vlan add 10
exit
interface ethernet g1
switchport trunk allowed vlan add 11
exit
interface vlan 2
name netman
exit
interface vlan 3
name lt-sys
exit
interface vlan 4
name pub-sys
exit
interface vlan 5
name lt-clients
exit
interface vlan 9
name lt-voip
exit
interface vlan 10
name lt-print
exit
interface vlan 11
name lt-wifi
exit
dot1x system-auth-control
interface range ethernet e(1-24)
dot1x radius-attributes vlan
exit
interface range ethernet e(1-24)
dot1x port-control auto
exit
interface vlan 2
ip address 10.58.2.7 255.255.255.0 
exit
hostname sw-3-1
radius-server host 10.58.2.128 key switch usage dot1.x 
radius-server host 10.58.3.132 key switch priority 1 usage dot1.x 
aaa authentication dot1x default radius 
username bryan password password-hash-was-here level 15 encrypted
ip domain-name liketechnologies.local
ip name-server  10.58.3.32 10.58.3.33

我現在(或大部分)已經設法解決了這個問題。由於 RADIUS 身份驗證,埠被正確分配給 VLAN,但是由於某種原因,在設備從我們的 DHCP 伺服器分配 IP 地址後,沒有其他流量被轉發。

我可能只是弄錯了我的 VLAN 路由,或者我沒有正確地在中繼埠上傳遞 VLAN 流量。

對於通過Google找到這個的其他人,我的(主要)工作配置如下:

interface range ethernet all
spanning-tree portfast
exit
interface range ethernet e(1-24)
dot1x multiple-hosts authentication
exit
interface range ethernet g(1-4)
switchport mode trunk
exit
vlan database
vlan 2-6,9-11
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 2
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 3
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 4
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 5
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 6
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 9
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 10
exit
interface range ethernet g(1-4)
switchport trunk allowed vlan add 11
exit
interface vlan 2
name netman
exit
interface vlan 3
name lt-sys
exit
interface vlan 4
name pub-sys
exit
interface vlan 5
name lt-clients
exit
interface vlan 6
name guest
exit
interface vlan 9
name lt-voip
exit
interface vlan 10
name lt-print
exit
interface vlan 11
name lt-wifi
exit
interface vlan 6
dot1x guest-vlan
exit
dot1x system-auth-control
interface range ethernet e(1-24)
dot1x re-authentication
exit
interface range ethernet e(1-24)
dot1x max-req 3
exit
interface range ethernet e(1-24)
dot1x mac-authentication mac-and-802.1x
exit
interface range ethernet e(1-24)
dot1x radius-attributes vlan
exit
interface range ethernet e(1-24)
dot1x port-control auto
exit
interface range ethernet e(1-24)
dot1x guest-vlan enable 
exit
interface vlan 2
ip address 10.58.2.99 255.255.255.0 
exit
hostname sw-1-2
radius-server host 10.58.2.128 key switch priority 2 
radius-server host 10.58.3.132 key switch priority 1 
aaa authentication dot1x default radius 
username bryan password password-hash-was-here level 15 encrypted
clock source sntp
sntp server 10.58.3.128 poll
ip domain-name liketechnologies.local
ip name-server  10.58.3.32 10.58.3.33

引用自:https://serverfault.com/questions/178233