Unsolved
11 Posts
0
2630
Dell N1500 series dot1x client auth not working after firmware upgrade
Hi guys,
I have here Dell N1500 series switch with dot1x client authentication configured on access ports. Auth is client certificate based, authenticated on radius servers. Everything in this chain si working perfect when I am running firmware version 6.5.3.6 or lower. If I run version 6.6.0.7 or higher, the N1500 switch is not able to enable client port.
Radius server sends the radius access-accept message back to the switch as expected. Switch get this message. This is debug output from the switch regarding this moment:
<190> Dec 11 12:15:00 MA-SW2-1 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 20440 %% INFO Client not ready for authentication.
<190> Dec 11 12:14:55 MA-SW2-1 AUTHMGR[authmgrTask]: auth_mgr_control.c(5708) 20439 %% INFO Client not ready for authentication.
<190> Dec 11 12:14:54 MA-SW2-1 RADIUS[radius_task]: radius.c(2260) 20429 %% INFO RADIUS: MS attribute type =15
<190> Dec 11 12:14:54 MA-SW2-1 RADIUS[radius_task]: radius.c(2260) 20428 %% INFO RADIUS: MS attribute type =14
<189> Dec 11 12:14:49 MA-SW2-1 AUTHMGR[authmgrTask]: auth_mgr_client.c(1206) 20416 %% NOTE Deleting client authenticated with VLAN type DEFAULT on interface Gi1/0/1.
The port remains unauthenticated.
Now if I rollback to the firmware version 6.5.3.6, everything works fine without changing any settings in infrastructure or changing the switch config.
There is nothing special in interface configuration:
interface Gi1/0/3
spanning-tree portfast
switchport access vlan 2
authentication order dot1x
authentication priority dot1x
exit
and some more global config commands regarding radius server parameters, "dot1x system-auth-control" and that's it.
Is there anything important what has changed in dot1x behavior on firmware 6.6.x.x? Processing of radius messages, or dot1x commands what I am missing?
Thank you.
DELL-Josh Cr
Moderator
Moderator
•
8.5K Posts
0
December 11th, 2019 11:00
According to the release notes, Implementation of IEEE 802.1X-2010 specification. So this may have changed things.
memo123
11 Posts
0
December 17th, 2019 00:00
Ok, this may have change things.
But how can I find out how exactly the things have changed? What is the proper command syntax or what is the proper approach in this case?
ApeLike
2 Posts
0
January 9th, 2020 05:00
We have the same problem after an upgrade of the stack to version 6.6.0.13:
<190> Jan 9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 812 %% INFO RADIUS: MS attribute type =15
<190> Jan 9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 813 %% INFO RADIUS: MS attribute type =10
<190> Jan 9 14:04:08 OFT-ASW22-3 RADIUS[radius_task]: radius.c(2260) 814 %% INFO RADIUS: MS attribute type =26
<191> Jan 9 14:04:08 OFT-ASW22-3 RADIUS[dot1xTask]: radius_api.c(11004) 815 %% DBG RADIUS Vendor Specific Attribute received, Vendor ID = 311
<189> Jan 9 14:04:36 OFT-ASW22-3 AUTHMGR[authmgrTask]: auth_mgr_client.c(1206) 831 %% NOTE Deleting client authenticated with VLAN type DEFAULT on interface Gi1/0/15.
ApeLike
2 Posts
0
January 9th, 2020 07:00
I just found out that the problem was on the radius side. After I changed the config to only send the following attributes, the dot1x with dynamic vlan assignment started to work:
The VLAN attributes defined in RFC3580 and required for VLAN
assignment via RADIUS are as follows:
• Tunnel-Type (64) = VLAN (13)
• Tunnel-Medium-Type (65) = 802 (6)
• Tunnel-Private-Group-ID (81) = VLANID
The port has the following config:
storm-control broadcast action trap
storm-control multicast action trap
storm-control unicast action trap
spanning-tree portfast
switchport mode general
authentication host-mode single-host
authentication event no-response action authorize vlan 50
authentication periodic
authentication timer reauthenticate 600
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
And the global radius config on the switch is:
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server deadtime 1
radius server source-ip 10.42.20.22
radius server key 7 "STRING"
radius server auth 10.42.4.8
name "STRING"
exit