Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

mmjahad

1 Message

1070

August 7th, 2019 07:00

N2048P and MAB : Wrong EAP Message for a MAB Client

Hello,

I'm testing 802.1X MAC authorization for a proof of concept. Devices are authorized by a FreeRADIUS server with a N2048P running OS6.3 as a NAS.

The authorization process is working fine (I can see this through the "freeradius -X" command) until the RADIUS server send an Access-Accept message to the NAS telling the switch to authorize the device and put the port in the appropriate VLAN. The switch is rejecting this Access-Accept and an EAP Failure message is sent to the device instead.

The "show logging" command is telling this :

<189> Aug  2 10:28:08 dell-n2048p-users-1-1 DOT1X[dot1xTask]: dot1x_radius.c(654) 58882 %% EAP message not received from server.RADIUS server did not send required EAP message.

And the web UI has some more logs :

Dot1x Radius Accept Process - Wrong EAP Message for a MAB Client

Here's the switch 802.1X configuration :

!
dot1x system-auth-control
aaa authentication dot1x default radius 
aaa authorization network default radius
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 mac format ietf upper-case
radius-server host auth 10.0.180.100
primary
name "Default-RADIUS-Server"
usage 802.1x
key 7 "..."
exit
!
interface Gi1/0/1
switchport mode general
dot1x port-control mac-based
dot1x timeout guest-vlan-period 10
dot1x mac-auth-bypass
exit 
!

The FreeRADIUS configuration :

$ sudo cat /etc/freeradius/3.0/sites-available/default 
listen {         
    type = auth         
    ipaddr = 10.0.180.100         
    port = 0         
    limit {               
        max_connections = 16               
        lifetime = 0               
        idle_timeout = 30         
    } 
} 
authorize {         
    preprocess          
    rewrite_calling_station_id         
    authorized_macs             
    if (!ok) {                 
        reject             
    }             
    else {                 
        update control {                     
            Auth-Type = Accept 
        }             
    } 
}

$ sudo cat /etc/freeradius/3.0/mods-available/files 
files authorized_macs {         
    key = "%{Calling-Station-ID}"         
    usersfile = ${confdir}/authorized_macs
} 

$ sudo cat /etc/freeradius/3.0/authorized_macs
AA-BB-CC-DD-EE-FF
    Cleartext-Password := "AA-BB-CC-DD-EE-FF",
    User-Name := "AA-BB-CC-DD-EE-FF",
    Service-Type = Framed-User,
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = 6,
    Tunnel-Private-Group-id = 150

I can't figure why the switch is telling that the EAP message isn't a required one. And what could be wrong in "Wrong EAP Message for a MAB Client" ? Am I missing something in the config ? What could make the EAP response being rejected by the switch ?

Thank you in advance !

DELL-Josh Cr

Moderator

 • 

9.6K Posts

 • 

42.6K Points

August 14th, 2019 09:00

Hi,

What version is the switch firmware? You may want to try updating if it isn’t up to date.

Was this post helpful?

View All

No Events found!

Top