dot1x/radius

Nevon · August 24, 2022, 8:31am

Hi
I’m trying to set up dot1x in an existing environment.
there is a mgmt network as shown in the picture and the switch can ping the radius server via vpn. is there a problem with me running the traffic through two other servers and a router in the way that makes it not work or what am i missing? tried to go after the wiki and read how others did but can’t find a solution.
Found something about BPDU cant be active.. ? can that be a problem on the other switches?..

/interface bridge
add name=bridge-lan vlan-filtering=yes
/interface vlan
add interface=bridge-lan name=mgmt vlan-id=99
/interface list
add name=dot1x
/interface bridge port
add bridge=bridge-lan interface=sfp-sfpplus1
add bridge=bridge-lan interface=sfp-sfpplus2
add bridge=bridge-lan interface=sfp-sfpplus3
add bridge=bridge-lan interface=sfp-sfpplus4
add bridge=bridge-lan edge=yes interface=dot1x
/interface bridge vlan
add bridge=bridge-lan comment=12 tagged=sfp-sfpplus4 vlan-ids=12
add bridge=bridge-lan comment=13 tagged=sfp-sfpplus4 vlan-ids=13
add bridge=bridge-lan comment=mgmt tagged=bridge-lan,sfp-sfpplus4 vlan-ids=99
add bridge=bridge-lan comment=11 tagged=sfp-sfpplus4 vlan-ids=11
/interface dot1x server
add interface=dot1x
/interface list member
add interface=ether1 list=dot1x
add interface=ether2 list=dot1x
add interface=ether3 list=dot1x
add interface=ether4 list=dot1x
add interface=ether5 list=dot1x
/ip address
add address=172.16.201.4/24 interface=mgmt network=172.19.201.0
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=172.16.201.1
/radius
add address=192.168.2.2 secret=“***********” service=dot1x

Would love some help.
Thanks!

pe1chl · August 24, 2022, 9:07am

When you have multiple networks, make sure the RADIUS client picks the proper source address for its queries.
You can explicitly configure that.

Nevon · August 24, 2022, 10:38am

I have tried with and without to specify src adress on the radius no luck.
[Removed unneeded quotation]

Nevon · August 25, 2022, 8:20am

[Removed unneeded quotation]
Skärmavbild 2022-08-25 kl. 08.56.29.png
Im trying in another network. I get this error.. or TX error.

Help.

bpwl · August 25, 2022, 8:34am

First lines are about “accounting”, not “authentication”. (There are multiple EAP methods in RADIUS. “Accounting” can be sent to other RADIUS server, than autenticator RADIUS)

Testing with NTRadPing ?

NAS IP (switch IP) must be in the NAS list of RADIUS server. Be aware of NAT changing addresses.