Hi guys,
we've configured dynamic vlan 802.1X Authentication on radius. after a user gets authenticated, it gets default vlan IP instead of the IP associated for the vlan. DHCP IPs for designated vlan works already before the 802.1x was configured. see config below and output of "show dot1x interface detail"
Config:
set interfaces interface-range SOMI-VC1-M0-0-46 member-range ge-0/0/0 to ge-0/0/46
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching storm-control default
set interfaces irb unit 1 family inet address 192.168.190.253/24
set interfaces irb unit 189 family inet address 172.16.189.254/24
set protocols dot1x authenticator authentication-profile-name SOMI-AD
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 supplicant multiple
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 retries 2
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 transmit-period 2
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 mac-radius
set protocols dot1x authenticator interface SOMI-VC1-M0-0-46 guest-vlan Guest
set firewall family ethernet-switching filter Guest_Access term DC_Allow from ip-destination-address 172.16.x.7/32
set firewall family ethernet-switching filter Guest_Access term DC_Allow from ip-destination-address 172.16.x.9/32
set firewall family ethernet-switching filter Guest_Access term DC_Allow then accept
set firewall family ethernet-switching filter Guest_Access term Block_LAN from ip-destination-address 172.16.0.0/16
set firewall family ethernet-switching filter Guest_Access term Block_LAN then discard
set firewall family ethernet-switching filter Guest_Access term Allow_Internet from ip-destination-address 0.0.0.0/0
set firewall family ethernet-switching filter Guest_Access term Allow_Internet then accept
set access radius-server 172.16.x.9 secret "$9$M108LN-dw4oZ8XYoZjPfO1IRylX7-"
set access radius-server 172.16.x.9 source-address 172.16.x.254
set access profile SOMI-AD authentication-order radius
set access profile SOMI-AD radius accounting-server 172.16.x.9
set access profile SOMI-AD accounting order radius
set access profile SOMI-AD accounting accounting-stop-on-failure
set access profile SOMI-AD accounting accounting-stop-on-access-deny
set access profile SOMI-AD accounting send-acct-status-on-config-change
set vlans Miscellaneous vlan-id 189
set vlans Miscellaneous l3-interface irb.189
set vlans Miscellaneous forwarding-options dhcp-security
set vlans default vlan-id 1
set vlans default l3-interface irb.1
===========================
root> show dot1x interface ge-0/0/0 detail
ge-0/0/0.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 2
Quiet period: 60 seconds
Transmit period: 2 seconds
Mac Radius: Disabled
Mac Radius Restrict: Disabled
Reauthentication: Enabled
Reauthentication interval: 3600 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: Guest
Number of connected supplicants: 1
Supplicant: SYNERGYOCEAN\shivram, 34:E6
7:3D:5F:92
Operational state: Authenticated
Backend Authentication state: Idle
Authentication method: Radius
Authenticated VLAN: Directors
Session Reauth interval: 3600 seconds
Reauthentication due in 1715 seconds