Unsolved
20 Posts
0
1411
Trunkport via RADIUS ( device-traffic-class=switch )
Hi,
I am trying to set a interface to trunk via RADIUS.
On the Client side, the port is set to trunk like a regular trunkport.
On the switch side (Dell N3000-ON with Firmware 6.6.3.0) it's a 802.1x configured port.
no green-mode eee
spanning-tree portfast
spanning-tree guard root
switchport mode general
authentication host-mode multi-auth
authentication event fail action authorize vlan 931
authentication periodic
authentication timer reauthenticate 157680000
mab auth-type pap
authentication order dot1x mab
authentication priority dot1x
lldp tlv-select system-description system-capabilities
lldp notification
lldp med confignotification
switchport voice vlan 205
My radius server sends the ciscoAVpair attribut correctly to the switch, and the command is logged as succuessfull.
<189> Nov 5 15:02:33 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619521 %% NOTE Gi7/0/1 is transitioned from the Forwarding state to the Blocking state in VLAN 1
<189> Nov 5 15:02:33 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619519 %% NOTE Gi7/0/1 is transitioned from the Forwarding state to the Blocking state in VLAN 999
<189> Nov 5 15:02:31 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619463 %% NOTE Spanning Tree Topology Change: VLAN 999, Unit: 1
<189> Nov 5 15:02:30 ME02-040-ACCESS-3 TRAPMGR[dot1s_task]: traputil.c(763) 22619405 %% NOTE Spanning Tree Topology Change: VLAN 1, Unit: 1
<190> Nov 5 15:02:29 ME02-040-ACCESS-3 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 22619375 %% INFO Client authorized on port (Gi7/0/1) with VLAN type RADIUS.
<190> Nov 5 15:02:29 ME02-040-ACCESS-3 DOT1Q[dot1qTask]: dot1q_control.c(7317) 22619373 %% INFO Gi7/0/1 is being acquired by AUTH_MGR.
<190> Nov 5 15:02:29 ME02-040-ACCESS-3 DOT1Q[dot1qTask]: dot1q_control.c(7309) 22619372 %% INFO Trunk mode setting on Gi7/0/1 is successful.
But it's not possible to communicate through that trunk ... I can't reach the management IP in vlan 999.
Whats also strange, the L3 MAC is authenticated through MAB directly after setting port to trunk. Or is the trunk overwritten by that auth?
Dell-DylanJ
4 Operator
4 Operator
•
2.9K Posts
0
November 5th, 2020 10:00
Radius authentication is something that I haven't configured or supported, so I can't speak to that much. However, linked below is the manual for firmware version 6.6.3. Page 1001 starts a section for radius commands. It should be of use to you.
https://dell.to/38eaoPn
Bias89
20 Posts
0
November 5th, 2020 13:00
Hi,
there is nothing described in the CLI guide about that.
Only in the manual is a small part about managing trunkports via radius
RADIUS Trunk Mode Assignment
Some network administrators may choose to use a default configuration on all
ports in the network and administer bespoke network policies via RADIUS.
Dell EMC switches support configuration of switchport trunk mode on ports
via RADIUS. In an 802.1X Access-Accept message, the Cisco VSA devicetraffic-class=switch indicates that the connected device is capable of
forwarding traffic from multiple stations using tagged and untagged traffic.
When an Access-Accept message is received that contains the VSA devicetraffic-class=switch, the switch operationally sets the port to trunk mode and
utilizes the RADIUS-assigned VLAN to set the operational native VLAN. If
not present, the port PVID is used to set the operational trunk port native
VLAN. Spanning-tree portfast is operationally disabled on the port. Any
trunk mode configuration on the port is respected.
NOTE: MAB and the guest VLAN feature are mutually exclusive on a port. If MAB
is enabled on a port concurrently with guest VLAN, the port will not move to the
authorized state.
360 Authentication, Authorization, and Accounting
Additional hosts may authenticate on a switchport trunk (or general) mode
port configured in authentication host-mode multi-auth and contain a VLAN
assignment. If the Access-Accept contains a VLAN assignment, the VLAN
assignment is honored for the client. Client packets must be tagged with the
assigned VLAN to be forwarded.