Business Community > Controllers > Radius allocated VLAN: I can join all VLANs but VLAN1
< Controllers

Radius allocated VLAN: I can join all VLANs but VLAN1

Radius allocated VLAN: I can join all VLANs but VLAN1

Radius allocated VLAN: I can join all VLANs but VLAN1
Radius allocated VLAN: I can join all VLANs but VLAN1
2023-11-24 13:11:51
Tags: #VLAN & Multi-Networks
Model: OC300  
Hardware Version:
Firmware Version: 5.12.9

Hello,

 

I've got a setup with an external Freeradius with which depending on provided credentials, wifi guest can join any VLAN except one: the VLAN 1, ie the default VLAN which is also the management VLAN.

All AP are EAP245.

 

My Freeradius users file contains :

 

foo1 Cleartext-Password := "123456abc"
    Tunnel-Type = 13,
    Tunnel-Medium-Type = 6,
    Tunnel-Private-Group-ID = 1
foo2 Cleartext-Password := "123456abc"
    Tunnel-Type = 13,
    Tunnel-Medium-Type = 6,
    Tunnel-Private-Group-ID = 101

 

When I enter foo2 credentials, it works (and I belong to VLAN 101).

When I enter foo1 credentials, it doesn't work (and I can't join VLAN1):

I can see my DHCP server receiving a DHCPDISCOVER et replying with a DHCPOFFER but I can't see the DHCPREQUEST/DHCPACK that normally follows.

 

I suspect the SG2428P switch does not forward the DHCPOFFER from the DHCP server to the requesting AP ou AP wifi client but I don't know how to check this.

For various reasons, the SG2428P switch  is not managed by my OC300 so I configured it by hand, setting PVID to 1 on every port.

 

1. Is there an easy way to spy DHCP traffic on AP ?

2. Is there an easy way to spy the traffic a SG2428P rejects or forwards ?

3. Thoughts ? Advice ?

 

Best regards

 

  0      
 
  0      
 
#1
Options
6 Reply
Re:Radius allocated VLAN: I can join all VLANs but VLAN1
2023-11-27 08:36:23

  @Oliv2831 

 

Use the SNMP(Settings-Services-SNMP) to spy the AP, and use the CLI to check the switch.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:Radius allocated VLAN: I can join all VLANs but VLAN1
2023-12-07 13:41:39

 

Using Radius-assigned VLAN in Radius-powered PPSK setup, I also observed the same phenomenom when a WiFi client tries to connect to VLAN1 when this VLAN is also the mangement VLAN:

 

- DHCP DISCOVER is sent by client in appropriate VLAN (ie VLAN1)

- DHCP OFFER is replied  within VLAN1

- no DHCP REQUEST ever comes in as if either OFFER or REQUEST was discarded by AP.

 

It seems using default VLAN1 "collides" with Radius-assigned VLAN either with 802.1X or PPSK.

 

 

  0  
  0  
#3
Options
Re:Radius allocated VLAN: I can join all VLANs but VLAN1
2024-03-12 11:55:38

In my case, VLAN 1 was not tagged and I faced exactly the same symptom. I changed my switch to tag everything, even the port VLAN, on the port towards the Omada EAP. Now it works. Does that help in your case as well? I think this is a bug in the Dynamic VLAN handling of Omada EAPs because I never experienced that with any other brand. However, I am not aware of any IETF RFC which mandates this. Anyone?

  0  
  0  
#4
Options
Re:Radius allocated VLAN: I can join all VLANs but VLAN1
2024-03-14 13:28:32

  @CISTORop 

In my testings, VLAN1 was also untagged.

I also never met any other vendor device requiring VLAN1 to be explicitely tagged.

 

  0  
  0  
#5
Options
Re:Radius allocated VLAN: I can join all VLANs but VLAN1
2024-03-24 12:37:40

  @Oliv2831 were you able to test my workaround as well already. If that worked, we are talking about the same issue for sure and the issue is confirmed because two people face it. Consequently, TP-Link could create a bug report internally.

  0  
  0  
#6
Options
Re:Radius allocated VLAN: I can join all VLANs but VLAN1
2024-03-28 09:32:09

  @CISTORop 

I'll do my best to test anew within the next couple of days, this issue.

  0  
  0  
#7
Options

Information

Helpful: 0

Views: 246

Replies: 6

Tags

VLAN & Multi-Networks
Related Articles
Can I join more than one powerline kit together?
544 0
Built-in RADIUS Server doesn't follow VLAN ID
177 0
How to combine VLANs from two SDNs?
481 0
Dynamic VLAN assignement with Radius authentication
904 1
Can't access web managment from other VLAN, but can ping?
3064 16
Blocking Router Access for all VLANs
382 0
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.