Skip to main content
Start a Conversation

Unsolved

P

pmadrid

2 Posts

2995

November 26th, 2018 10:00

802.1x in Dell X1000 series switch

Hello everyone. I was wondering if anyone has managed to configure 802.1X with DVA on a X1026 switch.

I've configured everything I think I should had to, but I just managed to reach the dreaded error:

"%SEC-W-SUPPLICANTUNAUTHORIZED: username test with MAC xx:xx:xx:xx:xx:xx was rejected on port gi1/0/2 because Radius accept message does not contain VLAN ID"

The thing is that I've checked the Radius server and it seems to be answering correctly as the log shows the VLAN id:

"Mon Nov 26 15:46:15 2018
Packet-Type = Access-Accept
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = "804"
Timestamp = 1543243575"

My lab is so simple I can just get frustrated: a X1026 switch with just two used ports, an uplink and a user port. What I'm trying to do is, if a user is authenticated by the Radius server the port should be assigned a VLAN (804 in my lab, could be any), and if not, the port should be put down.

Because the CLI is so limited and everything has to be done through the GUI I'm not sure if I missed something. Has anyone passed through the same as me? Does anyone have a clue of what am I missing? I'm getting quite desperate...

My config is:

config-file-header
swtest
v3.0.0.99 / RASTUTE_800_009
CLI v1.0
set system mode L2
policy-based-vlans active
@
spanning-tree priority 16384
vlan database
vlan 804
exit
voice vlan oui-table add 000181 Nortel__________________
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 001049 Shoretel________________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00907a Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname swtest
encrypted radius-server host x.x.x.x key xxxxx usage dot1.x
aaa authentication dot1x default radius
aaa accounting dot1x start-stop group radius
aaa accounting login start-stop group radius
username admin password encrypted xxxxx privilege 15
no snmp-server enable traps
snmp-server community public ro x.x.x.x view Default
snmp-server group public v2 read Default
clock timezone UTC 1
clock summer-time recurring eu
ip domain name test.com
ip name-server x.x.x.x
!
interface vlan 1
no ip address dhcp
!
interface vlan 804
name Users
ip address x.x.x.x 255.255.254.0
!
interface gigabitethernet1/0/1
switchport mode trunk
switchport trunk allowed vlan remove 1-803,805-4094
!
interface gigabitethernet1/0/2
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x radius-attributes vlan
dot1x port-control auto
switchport access vlan 804
switchport trunk allowed vlan remove 1-113,115-803,805-4094
!
[...]
exit
ip default-gateway x.x.x.x

Default settings:
Service tag: XXXXX

SW version 3.0.0.99 (date 04-Sep-2018 time 13:03:59)

Gigabit Ethernet Ports
=============================
no shutdown
speed 1000
duplex full
negotiation
flow-control off
mdix auto
no back-pressure

interface vlan 1
interface port-channel 1 - 12

spanning-tree
spanning-tree mode RSTP

qos basic
qos trust cos
eee enable

Thanks in advance! Regards.

1 person also has this problem

DELL-Josh Cr

Moderator

 • 

8.7K Posts

November 26th, 2018 11:00

Hi,

This customer found some steps that worked on the N series, so you may want to try them. https://www.dell.com/community/Networking-General/802-1X-with-MAB-on-Phone-PC-port/td-p/5097970

pmadrid

2 Posts

November 27th, 2018 03:00

Hello Josh. Thanks for your answer.

If I have understood correctly, the other thread deals with a NAS (switch) not sending traffic to the Radius server. In my case, the Radius server receives correctly the Access-Request packet and seems to answer correctly with a Access-Accept packet. I sniffed the traffic and the reply seems to reach correctly the switch and includes the VLAN id in the "Tunnel-Private-Id" value-pair (would it be useful to post the pcap file?), so I suspect it must be a configuration issue (in a worst case, a bug).

The thing is that, because in X1000 series switch you must configure almost everything through the GUI, I don't know what checkbox I missed :-( I followed the "Dell X1000 Series Switches User Guide" but it's not as clear as I would like, and the error message ("[...] accept message does not contain VLAN ID") confuses me because the server reply DOES contain the VLAN id.

Do you know if there is some way to debug this? Any hidden debug mode...?

Thank you!

DELL-Josh Cr

Moderator

 • 

8.7K Posts

November 27th, 2018 07:00

These are the only logs Page 126 https://downloads.dell.com/manuals/common/networking-x-series-ug_en-us.pdf there is not a more hidden mode. Can you private message me the service tag?

unadmin

5 Posts

January 21st, 2023 02:00

I'm facing the same issue. Radius Server reply with Access-Accept and VLAN parameters, but Dell Switch log a SEC-W-SUPPLICANTUNAUTHORIZED.

Did you ever managed to get it working?

 

unadmin

5 Posts

January 21st, 2023 13:00

I managed to do. Steps more or less as following. 

 

  1. Create guest VLAN and VLAN(s) to be dynamically assigned. Private VLANs can't be assigned DVA. Very disappointing, that's was my first objective.
  2. Port VLAN Mode: Trunk, Member of any VLAN, Native VLAN None
  3. Host Authentication Mode: Multiple Sessions
  4. With Port Authentication Forced Authorized, enable Port Reauthentication and Save.
  5. Change to Dot1x & MAC for authentication and Save.
  6. Enable Guest VLAN, DVA, and Authentication Auto.

Very bad to have to change these things once a time if you have to do on many ports with hundreds of clicks.

View More

View All

No Events found!

Top