N3000: Radius VLAN assignment

Question

Hi, I've tried assigning a VLAN via Radius, and I don't want/need to do fully fledged EAP (802.1x) but only MAC-based auth/MAB. One of the messages I got was: Time Stamp..................................... Apr 13 2017 18:04:21Result Age..................................... 0 days, 1 hours, 33 minutes, 9 secondsInterface...................................... Gi1/0/1MAC-Address.................................... 001E.330B.7554VLAN Assigned.................................. 1VLAN Assigned Reason........................... Default Assigned VLANFilter Name....................................Auth Status.................................... AuthorizedReason......................................... Authentication Successful, VLAN Assignment Feature Not Present for a MAB Client. I found out that the VLAN is correctly assigned ('Dot1x Radius Authentication Successful for a MAB Client') if I configure Radius to perform an EAP dialog. Why would EAP be necessary in order to get VLAN assignment via Radius to work? Radius returns all necessary items (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id), there is no need to add EAP for that. Bye, Jammac PS. Here's my current config: authentication enabledot1x system-auth-controlaaa authentication dot1x default radiusaaa authorization network default radius radius-server host 1.2.3.4  key 123  usage 802.1x int range gi 1/0/1-46  switchport mode general  dot1x port-control mac-based   dot1x reauthentication  dot1x max-users 4    dot1x mac-auth-bypass  authentication order mab  authentication priority mabexit

DELL-Josh Cr · Answer

Hi,

What firmware version are you using? Are you using Windows as your RADIUS server? http://en.community.dell.com/techcenter/networking/w/wiki/11739.dell-networking-n-series-dot1x-mac-authentication-bypass

jammac · Answer

It's N3000 v6.3.2.4 and Freeradius v3.I didn't say it wasn't working. I was simply asking why it had to be this complicated.The switch could simply send an Access-Request to the Radius Server which would reply with a response (Access-Accept) containing all the necessary attributes and that would be it.That's what it does anyway, but the switch only accepts the VLAN (Tunnel-Private-Group-ID) once a successful EAP dialogue inside the Radius session has taken place too. Why?

DELL-Josh Cr · Answer

I will check with the engineering team.

DELL-Josh Cr · Answer

I was not able to get a reason for why it is like this.

jammac · Answer

Too bad no one seems to know what's going on. Probably it's that way because Broadcom sell it that way, but that still is no explanation :)

Guess I'll try Professional Support on that and see how professional they are :)

md1x0n · Answer

Were you able to force the EAP message inside RADIUS so that the switch would accept VLAN assigment with MAB?   We've been struggling with this same problem.

Networking General

Was this post helpful?