GS1920-24 v2 - 802.1x and guest VLAN not working correctly

matejp
matejp Posts: 2
First Anniversary First Comment
edited August 2022 in Switch

Hi,

I have problem to setup "private" and guest VLAN on switch GS1920-24 v2.

What I want to setup:

Port 2 - access port with enabled 802.1x authorization (eap-tls/peap in my case) with default "private" VLAN 10 for authorized user, and guest VLAN 99 for non-authorized user.


What I have try and didn't work:

I. VLAN 10

  • "Static VLAN setup" - port 24: fixed, tagged (uplink), port 2: normal, untagged
  • "VLAN port setup" - port 2: PVID 10, untag only

II. VLAN 99

  • "Static VLAN setup" - port 24: fixed, tagged (uplink), port 2: normal, untagged

III. 802.1X

  • Enable (global)
  • port 2: Enable

IV. Guest VLAN

  • port 2: active, Guest Vlan; 99, Host-mode: Multi-secure, Multi-Secure num: 1


In this setup user (neither authorized nor unauthorized) didn't get IP from DHCP server. I can see DHCP request (on server) but client didn't see DHCP offer.


What I have try and work but with defect:

The same setup but membership of access port 2 was set to "Fixed" for both VLAN (10 and 99). In this case client get the right IP from DHCP server (authorized client get IP from VLAN 10 subnet and unauthorized client get IP from VLAN 99 subnet) and network work correctly. BUT there was a traffic from another VLAN on that port respectively. If a user was authorized, there was a traffic from guest VLAN 99, and unauthorized client can see packet from private VLAN 10.

If I changed the IP address (VLAN 10) on authorized client to address from the guest VLAN subnet (VLAN 99), connection was not working (cannot ping another devices in VLAN 99) (and vice versa), so the PVID was working correctly (ingess).

I thing that the problem is that port is member of both VLAN (fixed) and in that case switch send packets from both VLAN to access port 2 (egress).

Is this behavior ok, or I have wrong configuration?

Thanks for any advice.

Accepted Solution

All Replies

  • matejp
    matejp Posts: 2
    First Anniversary First Comment

    Thanks for your answer.

    But isn't this a security issue? In guest VLAN users can see MAC address from private VLAN, SMB broadcast, etc.

  • Zyxel_Derrick
    Zyxel_Derrick Posts: 126  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited August 2019

    Hi @matejp


    Thanks for your advice!!

    We will put this to "Ideas" and evaluate the possibility to enhance it

    Thanks


    Zyxel_Derrick

  • danyedinak
    danyedinak Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment

    I recently had the same problems on two different GS1900 series switches in which the client devices were not getting IP addresses from the USG devices the switch was connected to (even though the USG was receiving the request and assigning an IP). In both cases, the solution was to complete the VLAN configuration, save the configuration and then reboot the switch. Only AFTER the switch was rebooted would the DHCP packets get delivered to the client devices. The USG did not have to be rebooted, but the switch did - which still meant the VLAN configuration had to happen during non-business hours.

  • Kim
    Kim Posts: 4
    First Anniversary First Comment
    edited September 2019

    After reading your description, I don't think it is related to 802.1x and it's more likely related to the VLAN mis-configuration and seems like the problem has been resolved?