Trunkport via RADIUS ( device-traffic-class=switch )
I am trying to set a interface to trunk via RADIUS.
On the Client side, the port is set to trunk like a regular trunkport.
On the switch side (Dell N3000-ON with Firmware 18.104.22.168) it's a 802.1x configured port.
no green-mode eee spanning-tree portfast spanning-tree guard root switchport mode general authentication host-mode multi-auth authentication event fail action authorize vlan 931 authentication periodic authentication timer reauthenticate 157680000 mab auth-type pap authentication order dot1x mab authentication priority dot1x lldp tlv-select system-description system-capabilities lldp notification lldp med confignotification switchport voice vlan 205
My radius server sends the ciscoAVpair attribut correctly to the switch, and the command is logged as succuessfull.
<189> Nov 5 15:02:33 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619521 %% NOTE Gi7/0/1 is transitioned from the Forwarding state to the Blocking state in VLAN 1 <189> Nov 5 15:02:33 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619519 %% NOTE Gi7/0/1 is transitioned from the Forwarding state to the Blocking state in VLAN 999 <189> Nov 5 15:02:31 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619463 %% NOTE Spanning Tree Topology Change: VLAN 999, Unit: 1 <189> Nov 5 15:02:30 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619405 %% NOTE Spanning Tree Topology Change: VLAN 1, Unit: 1 <190> Nov 5 15:02:29 ME02-040-ACCESS-3 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 22619375 %% INFO Client authorized on port (Gi7/0/1) with VLAN type RADIUS. <190> Nov 5 15:02:29 ME02-040-ACCESS-3 DOT1Q[dot1qTask]: dot1q_control.c(7317) 22619373 %% INFO Gi7/0/1 is being acquired by AUTH_MGR. <190> Nov 5 15:02:29 ME02-040-ACCESS-3 DOT1Q[dot1qTask]: dot1q_control.c(7309) 22619372 %% INFO Trunk mode setting on Gi7/0/1 is successful.
But it's not possible to communicate through that trunk ... I can't reach the management IP in vlan 999.
Whats also strange, the L3 MAC is authenticated through MAB directly after setting port to trunk. Or is the trunk overwritten by that auth?
Radius authentication is something that I haven't configured or supported, so I can't speak to that much. However, linked below is the manual for firmware version 6.6.3. Page 1001 starts a section for radius commands. It should be of use to you.
there is nothing described in the CLI guide about that.
Only in the manual is a small part about managing trunkports via radius
RADIUS Trunk Mode Assignment Some network administrators may choose to use a default configuration on all ports in the network and administer bespoke network policies via RADIUS. Dell EMC switches support configuration of switchport trunk mode on ports via RADIUS. In an 802.1X Access-Accept message, the Cisco VSA devicetraffic-class=switch indicates that the connected device is capable of forwarding traffic from multiple stations using tagged and untagged traffic. When an Access-Accept message is received that contains the VSA devicetraffic-class=switch, the switch operationally sets the port to trunk mode and utilizes the RADIUS-assigned VLAN to set the operational native VLAN. If not present, the port PVID is used to set the operational trunk port native VLAN. Spanning-tree portfast is operationally disabled on the port. Any trunk mode configuration on the port is respected. NOTE: MAB and the guest VLAN feature are mutually exclusive on a port. If MAB is enabled on a port concurrently with guest VLAN, the port will not move to the authorized state. 360 Authentication, Authorization, and Accounting Additional hosts may authenticate on a switchport trunk (or general) mode port configured in authentication host-mode multi-auth and contain a VLAN assignment. If the Access-Accept contains a VLAN assignment, the VLAN assignment is honored for the client. Client packets must be tagged with the assigned VLAN to be forwarded.