Skip to main content
Start a Conversation

Unsolved

memo123

11 Posts

2630

December 11th, 2019 07:00

Dell N1500 series dot1x client auth not working after firmware upgrade

Hi guys,

I have here Dell N1500 series switch with dot1x client authentication configured on access ports. Auth is client certificate based, authenticated on radius servers. Everything in this chain si working perfect when I am running firmware version 6.5.3.6 or lower. If I run version 6.6.0.7 or higher, the N1500 switch is not able to enable client port.

Radius server sends the radius access-accept message back to the switch as expected. Switch get this message. This is debug output from the switch regarding this moment:

<190> Dec 11 12:15:00 MA-SW2-1 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 20440 %% INFO Client not ready for authentication.
<190> Dec 11 12:14:55 MA-SW2-1 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 20439 %% INFO Client not ready for authentication.
<190> Dec 11 12:14:54 MA-SW2-1 RADIUS[radius_task]: radius.c(2260) 20429 %% INFO RADIUS: MS attribute type =15
<190> Dec 11 12:14:54 MA-SW2-1 RADIUS[radius_task]: radius.c(2260) 20428 %% INFO RADIUS: MS attribute type =14
<189> Dec 11 12:14:49 MA-SW2-1 AUTHMGR[authmgrTask]: auth_mgr_client.c(1206) 20416 %% NOTE Deleting client authenticated with VLAN type DEFAULT on interface Gi1/0/1.

The port remains unauthenticated.

Now if I rollback to the firmware version 6.5.3.6, everything works fine without changing any settings in infrastructure or changing the switch config.

There is nothing special in interface configuration:

interface Gi1/0/3
spanning-tree portfast
switchport access vlan 2
authentication order dot1x
authentication priority dot1x
exit

and some more global config commands regarding radius server parameters, "dot1x system-auth-control" and that's it.

Is there anything important what has changed in dot1x behavior on firmware 6.6.x.x? Processing of radius messages, or dot1x commands what I am missing?

 

Thank you.

DELL-Josh Cr

Moderator

 • 

8.5K Posts

December 11th, 2019 11:00

According to the release notes,  Implementation of IEEE 802.1X-2010 specification. So this may have changed things.

memo123

11 Posts

December 17th, 2019 00:00

Ok, this may have change things.

But how can I find out how exactly the things have changed? What is the proper command syntax or what is the proper approach in this case?

ApeLike

2 Posts

January 9th, 2020 05:00

We have the same problem after an upgrade of the stack to version 6.6.0.13:

<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11434) 810 %% DBG radiusClientAccessRequestSend:Recieved Radius send Access Request message
<190> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 811 %% INFO RADIUS: MS attribute type =14

<190> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 812 %% INFO RADIUS: MS attribute type =15

<190> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 813 %% INFO RADIUS: MS attribute type =10

<190> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 814 %% INFO RADIUS: MS attribute type =26

<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 815 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11016) 816 %% DBG Unknown Vendor Specific Attribute for vendor ID 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 817 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11016) 818 %% DBG Unknown Vendor Specific Attribute for vendor ID 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 819 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11016) 820 %% DBG Unknown Vendor Specific Attribute for vendor ID 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 821 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11016) 822 %% DBG Unknown Vendor Specific Attribute for vendor ID 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 823 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11016) 824 %% DBG Unknown Vendor Specific Attribute for vendor ID 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 825 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<191> Jan  9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11016) 826 %% DBG Unknown Vendor Specific Attribute for vendor ID 311
<190> Jan  9 14:04:09 OFT-ASW22-3 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 827 %% INFO Client not ready for authentication.
<190> Jan  9 14:04:14 OFT-ASW22-3 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 828 %% INFO Client not ready for authentication.
<190> Jan  9 14:04:19 OFT-ASW22-3 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 829 %% INFO Client not ready for authentication.
<191> Jan  9 14:04:36 OFT-ASW22-3 DRIVER[bcmRLINK]: broad_link.c(90) 830 %% DBG HAPI LS callback, u 3. p 9 st:0

<189> Jan  9 14:04:36 OFT-ASW22-3 AUTHMGR[authmgrTask]: auth_mgr_client.c(1206) 831 %% NOTE Deleting client authenticated with VLAN type DEFAULT on interface Gi1/0/15.
 
I couldn't figure out how to resolve the problem until now.

ApeLike

2 Posts

January 9th, 2020 07:00

I just found out that the problem was on the radius side. After I changed the config to only send the following attributes, the dot1x with dynamic vlan assignment started to work:

The VLAN attributes defined in RFC3580 and required for VLAN
assignment via RADIUS are as follows:
• Tunnel-Type (64) = VLAN (13)
• Tunnel-Medium-Type (65) = 802 (6)
• Tunnel-Private-Group-ID (81) = VLANID

The port has the following config:

storm-control broadcast action trap
storm-control multicast action trap
storm-control unicast action trap
spanning-tree portfast
switchport mode general
authentication host-mode single-host
authentication event no-response action authorize vlan  50
authentication periodic
authentication timer reauthenticate 600
dot1x timeout quiet-period 10
dot1x timeout tx-period 10

And the global radius config on the switch is:

authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server deadtime 1
radius server source-ip 10.42.20.22
radius server key 7 "STRING"
radius server auth 10.42.4.8
name "STRING"
exit

View More

View All

No Events found!

Top