Unsolved
2 Posts
0
1935
MAB authentication / DHCP is not working on a Dot1x port
We have a N3048EP-ON switch stack with 6.6.3.36 running. We want to make 802.1x and MAB on certain ports. Also DHCP has to work.
The port configuration looks like:
ip dhcp snooping log-invalid
ip dhcp snooping limit rate 100
description "**(x)I05*114**"
spanning-tree portfast
switchport mode general
authentication event fail action authorize vlan 105
authentication periodic
mab
authentication order dot1x mab
authentication priority dot1x mab
This configuration works for dot1x clients but not for MAB. The following log lines are recorded:
<189> Apr 23 11:15:50 EN2SWR04-2 TRAPMGR[trapTask]: traputil.c(721) 8550351 %% NOTE Gi4/0/10 is transitioned from the Learning state to the Forwarding state in instance 0
<189> Apr 23 11:15:50 EN2SWR04-2 TRAPMGR[trapTask]: traputil.c(721) 8550350 %% NOTE Gi4/0/10 is transitioned from the Forwarding state to the Blocking state in instance 0
<189> Apr 23 11:15:50 EN2SWR04-2 MAB[mabTask]: mab_radius.c(180) 8550346 %% NOTE Radius Authentication failed on physPort:[Gi4/0/10] lIntIfNum:[11468801]Mac Address :[00:80:d4:0a:d0:f7].
<189> Apr 23 11:14:47 EN2SWR04-2 TRAPMGR[DHCP_snoop]: traputil.c(763) 8550250 %% NOTE DHCP snooping violation occurred on interface: Gi4/0/10 with vlan: 1 and MACAddr: 00:80:d4:0a:d0:f7
<188> Apr 23 11:14:47 EN2SWR04-2 DHCP_SNP[DHCP_snoop]: ds_main.c(4200) 8550249 %% WARN DHCP snooping dropping DISCOVER packet received from Gi4/0/10, vlan 1, from 00:80:D4:0A:D0:F7. DHCP not allowed from unauthorized port.
<189> Apr 23 11:14:37 EN2SWR04-2 TRAPMGR[DHCP_snoop]: traputil.c(763) 8550231 %% NOTE DHCP snooping violation occurred on interface: Gi4/0/10 with vlan: 1 and MACAddr: 00:80:d4:0a:d0:f7
<188> Apr 23 11:14:37 EN2SWR04-2 DHCP_SNP[DHCP_snoop]: ds_main.c(4200) 8550230 %% WARN DHCP snooping dropping DISCOVER packet received from Gi4/0/10, vlan 1, from 00:80:D4:0A:D0:F7. DHCP not allowed from unauthorized port.
<189> Apr 23 11:14:35 EN2SWR04-2 TRAPMGR[DHCP_snoop]: traputil.c(763) 8550229 %% NOTE DHCP snooping violation occurred on interface: Gi4/0/10 with vlan: 1 and MACAddr: 00:80:d4:0a:d0:f7
<188> Apr 23 11:14:35 EN2SWR04-2 DHCP_SNP[DHCP_snoop]: ds_main.c(4200) 8550228 %% WARN DHCP snooping dropping DISCOVER packet received from Gi4/0/10, vlan 1, from 00:80:D4:0A:D0:F7. DHCP not allowed from unauthorized port.
<189> Apr 23 11:14:19 EN2SWR04-2 TRAPMGR[trapTask]: traputil.c(721) 8550217 %% NOTE Link Up: Gi4/0/10
So it seems to me, that the DHCP request is to early and the RADIUS authentication failed as well. RADIUS server is a MS NPS.
Is there a guideline how 802.1X, MAB and DHCP can be configured correctly? What is possibly wrong with my setup?
Thanks for your support.
Enas_OJ
2 Posts
0
April 23rd, 2021 05:00
I'm one step further: We have a mixed switch environment of Cisco and Dell. Cisco is still the majority. As we use a Microsoft NPS we have to create a user like \001122334455, which is the MAC of the MAB device. This works well with Cisco. Dell is asking NPS for a user like \00:11:22:33:44:55 which does not exists.
What can I do to let the Dell switch change the username?
DELL-Marco B
Moderator
Moderator
•
3.4K Posts
0
April 23rd, 2021 07:00
Hello,
the 802.1X and MAB configuration guide is on this document, from page 294.
https://dell.to/3xdvAPL
In case you need help in configuration you can buy a configuration ticket and one of our expert can follow you on the process.
Thanks
Marco
rafaelpcosta1
1 Message
0
November 24th, 2022 05:00
Hello, I'm experiencing the same problem. Authentication via MAB does not work correctly with RADIUS NPS server. I don't understand why Dell insists on sending UserName as DOMAIN\00:11:22:33:44:55 this doesn't work with NPS. Active Directory does not allow creating users using " : " in the username. Has anyone managed to resolve this? Any help will be greatly appreciated. Dell, please help us. These documentations do not help to solve this problem, there is nothing that tells how to solve this way of delivering the MAC. They should send DOMAIN\001122334455 .