Unsolved
2 Posts
0
753
July 6th, 2022 02:00
Dell N3048p don't authorize a dot1x port after being assigned a VLAN by radius server
Hello, I have been able to implement dot1x port-based authentication on a switch dell N3048EP-ON but with almost the same conf and the exact same NPS server it doesn't work on my N3048P switch which has firmware 6.5.4.20.
It's a stack, dot1x port running-conf looks like this :
switchport mode general
dot1x reauthentication
dot1x timeout quiet-period 5
dot1x max-req 3
dot1x unauth-vlan 666
dot1x max-reauth-req 3
authentication order dot1x
authentication priority dot1x
and the global running conf looks like this:
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable
switchport voice vlan
radius server attribute 6 on-for-login-auth
radius server deadtime 15
radius server source-ip X.X.X.X
radius server attribute 31 mac format ietf lower-case
radius server auth X.X.Y.Y
automate-tester username test idle-time 2
primary
name "testNAC"
retransmit 1
deadtime 3
attribute 31 mac format ietf lower-case
key 7 xxxx
exit
radius server vsa send authentication
The firmware is quite different from on model to the other, but i feel like i am missing something.
The server radius is sending these attributes:
AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)
AVP: t=Tunnel-Private-Group-Id(81) l=5 val=111
AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
and it doesn't work with whatever service-type i use.
i do : show dot1x authentication-history all
i get : Time Stamp Interface MAC-Address VLANID Auth Status
--------------------- --------- ----------------- ------ ------------
Jul 06 2022 11:10:51 Gi2/0/1 E4B9.XXXX.XXXX 111 Unauthorized
here are the logs:
<190> Jul 6 10:32:46 swi-dis-p-t-ob-3 AUTHMGR[authMgrTask]: auth_mgr_control.c(1103) 3377 %% INFO User Authentication failed on interface Gi2/0/1.
<188> Jul 6 10:32:46 swi-dis-p-t-ob-3 DOT1X[dot1xTask]: dot1x_radius.c(1517) 3376 %% WARN Interface Gi2/0/1 not authorized. Unable to apply ACL
<190> Jul 6 10:32:46 swi-dis-p-t-ob-3 RADIUS[radius_task]: radius.c(2313) 3363 %% INFO RADIUS: MS attribute type =26
<190> Jul 6 10:32:46 swi-dis-p-t-ob-3 RADIUS[radius_task]: radius.c(2313) 3362 %% INFO RADIUS: MS attribute type =10
<190> Jul 6 10:32:46 swi-dis-p-t-ob-3 RADIUS[radius_task]: radius.c(2313) 3361 %% INFO RADIUS: MS attribute type =15
<190> Jul 6 10:32:46 swi-dis-p-t-ob-3 RADIUS[radius_task]: radius.c(2313) 3360 %% INFO RADIUS: MS attribute type =14
The supplicant is a Windows 10 dell machine with 802.1x enable with PEAP and MSCHAP-v2
I have tested a lot of different port conf, different attributes sent by the radius server and nothing make it work. The vlan is authorized on all devices between the switch and the radius server. If someone could help me pin the one or few things I did wrong I would really appreciate it.
DELL-Chris H
Moderator
•
9.5K Posts
0
July 6th, 2022 09:00
Zeyesm-,
I would recommend starting with updating both switches to current and matching versions, then retest and see if the issue is resolved. If not then let me know, and we can go from there.
Zeyesm-
2 Posts
0
July 6th, 2022 10:00
Hello Chris and thanks for you answer, unfortunately N3000P latest firmware is 6.5.4.20 as far as I know. On the N3000EP-ON it's on the latest update without changing kernel and it's working on this switch.
DELL-Chris H
Moderator
•
9.5K Posts
0
July 6th, 2022 13:00
Zeyesm,
Sorry for the delay. I am researching the issue and testing. I will be back with you as soon as possible.
Thanks for the patience.