Title: 【Typical Case】Troubleshooting Dynamic VLAN Delivery Failure on the CS83 Switch [Print this page] Author: zhangqiao@ruiji Time: 2024-7-23 14:46 Title: 【Typical Case】Troubleshooting Dynamic VLAN Delivery Failure on the CS83 Switch Keywords:
Voice VLAN, 802.1X authentication, dynamic VLAN, RADIUS,telephone
1.Device Model and Firmware
Device Type
Device Model
Firmware Version
Switch
CS83-24GT4XS-PD
RGOS 12.6(4)B0701
Issue Description
A telephone was connected to a CS83 switch and a voice VLAN was configured. The port where the telephone is connected was set as a hybrid port, allowing traffic from the voice VLAN to pass through untagged. Additionally, 802.1X authentication and dynamic VLAN were enabled on the port. The telephone successfully authenticated but failed to obtain an IP address.
The show log output displays that no dynamic VLAN exists on the port.
Troubleshooting
1.Check the voice VLAN, RADIUS, and port configurations on the CS83 switch.
The logs show successful authentication of the telephone, suggesting that the RADIUS configuration is correct. The issue is likely related to either thedynamic VLAN or the voice VLAN configuration.
The port enabled with 802.1X can successfully learn the MAC address of the telephone.
2.Collect debug information and verify if traffic from the dynamic VLAN delivered by the RADIUS server is permitted on the port.
The following debugging information is displayed. However, upon reconnecting the telephone to the CS83 switch, running the debug command yields no output. The dynamic VLAN delivered by the RADIUS server is not detected.
terminalmon
debugdot1x event
Debugdo1x error
debugaaa all
debugradius all
Moreover, running the show dot1x summary command also yields no output.
3.Verify the configuration on the RADIUS server and perform packet obtaining andanalysis.
Packets obtained from the RADIUS server show that the AVP (81) Tunnel-Private-Group-Idin the AVPs field is set to T:200. Cause Analysis
Anincorrect dynamic VLAN value delivered by the RADIUS server prevents the switchfrom properly parsing the VLAN.
3. Solution
1. Modify the relevant RADIUS packet fields on the RADIUS server.
2. In this case, set the VLAN name on the switch to the corresponding value.
Ruijie(config)#vlan 10
Ruijie(config-vlan)#name XXX
The value should be the dynamic VLAN ID or VLAN name. However, because the value contains characters, it is parsed as a VLAN name. No VLAN named T:200 existslocally on the switch. Therefore, traffic from the dynamic VLAN is not permitted on the port.
Note:The following figures show RADIUS packets with a VLAN ID delivered normally.
2. Root Cause
An incorrect dynamic VLAN value delivered by the RADIUS server prevents the switch from properly parsing the VLAN.
3. Solution
1. Modify the relevant RADIUS packet fields on the RADIUS server.
2. In this case, set the VLAN name on the switch to the corresponding value.
Ruijie(config)#vlan 10
Ruijie(config-vlan)#name XXX
Welcome to Ruijie Community (https://community.ruijienetworks.com/)