Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 3 Nächste Version anzeigen »


Description:

Some scenarios require certain end devices to always enter a specific VLAN, regardless of which switch port the devices are connected to. This can be achieved through RADIUS authentication, where the RADIUS user is assigned to a specific VLAN (dynamic VLAN). 

This article describes how to set up dynamic VLAN on a switch of the XS-51xx / XS-6xxx and GS-45xx series.

Requirements:

Procedure:

1) Configuring the RADIUS server on the LANCOM router:

1.1) In LANconfig, open the configuration for the router, navigate to the menu RADIUS → Server and set a checkmark next to RADIUS authentication active.

1.2) Navigate to the menu RADIUS services ports.

1.3) Check that the authentication port is set to 1812.

1.4) Go to the IPv4 clients menu.

1.5) Create a new entry and enter the following parameters:

  • IP address: Enter the IP address of the switch so that this can authenticate itself as the RADIUS authenticator at the RADIUS server.
  • Netmask: Enter the netmask 255.255.255. This stands for a single IP address.
  • Protocols: Check that the protocol is set to RADIUS.
  • Client secret: Enter a password that the switch uses to authenticate itself at the RADIUS server. This is entered on the switch in step 2.6.

1.6) Go to the User table menu.

1.7) Create a new entry and adjust the following parameters:

  • Name / MAC address: Enter the user name (in this example user).
  • Password: Enter the password for the user
  • VLAN: Enter the VLAN to be assigned to the user (in this example the VLAN 5).
  • Service type: From the drop-down menu, select Call check.
  • Expiry type: From the drop-down menu, select Never so that the user account remains permanently valid.

The service type call check is only supported as of LCOS 10.30.

1.8) This concludes the configuration of the RADIUS server on the LANCOM router. You can now write the configuration back to the device.



2) Configuring the RADIUS authenticator on the switch:

2.1) Connect to the web interface of the device and navigate to the menu System → AAA → Authentication List.

2.2) Select the entry dot1xList and then click Edit.

2.3) Under Available Methods select the option Radius and click the upper “arrow” icon to move it into the Selected Methods. Then click Submit.

The option Radius must be stored here, otherwise the switch will not forward the RADIUS requests to the RADIUS server.

2.4) Go to the menu Security → RADIUS → Named Server.

2.5) Click Add to add a RADIUS server.

2.6) Modify the following parameters and then click Submit:

  • IP Address/Host Name: Enter the IP address or host name of the RADIUS server that is to handle the authentication (in this case 192.168.45.254):.
  • Server Name: If necessary, adjust the name for the RADIUS server (in this example the name was left as the default setting Default RADIUS Server).  
  • Port Number: Leave the RADIUS port as the default value 1812.
  • Secret: Enter the client secret set in step 1.5.
  • Server Type: Select the option Primary

2.7) Go to the menu Security → Authentication Manager → Interface Configuration.

At this point, under no circumstances should the Admin Mode under Security → Authentication Manager → Configuration be activated (Enable), because authentication is enabled globally for all ports. Otherwise, configuration access to the switch is no longer possible!

The status of the Named Server under Current only changes to True when the switch receives a RADIUS request. 

2.8) Select the interface used for configuration access (in this example the port 1/0/1, which the router is also connected to), under Control Mode select the option Force Authorized and click Submit. With this setting, no authentication is performed on this port.

2.9) Select a port on which authentication should be performed (in this example 1/0/10), adjust the following parameters and click Submit:

  • Make sure that the Control Mode option is set to Auto. This means that no communication is possible via the port until the connected network participant has authenticated itself.
  • Under Host Mode, select the authentication method Single Authentication so that only one user can log in and communicate on this port.

2.10) On the Configuration tab, set the Admin Mode to the option Enable and click Submit.

2.11) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

As an alternative, the current configuration can be saved as the Start Configuration from the command line with the command write memory.

2.12) Confirm your changes by clicking OK.