Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

simon1112

1 Rookie

 • 

3 Posts

3596

January 29th, 2020 22:00

802.1x and mab authentication

Hi all, 

I would like to ask about 802.1X and mab authentication on N-series switching running firmware 6.6.0.0. 

My configuration as follows:

authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server auth 192.168.10.20
name "RADIUS-Server"
key 7 "bbg34d1bb"






!

interface Gi1/0/1
spanning-tree portfast
switchport mode general
authentication host-mode single-host
authentication max-users 1
authentication event fail action authorize vlan 10
mab auth-type chap
authentication order dot1x mab
authentication priority dot1x mab
exit








My questions:

1) Based on the above configuration, if a device doesn't pass 802.1x it will failover to mab. How do I configure so that if it authenticates only on either 802.1x or mab? If a device has 802.1x enabled, it should authenticate on that method only and if it fails, it should not failover to mab.

2) I am using ClearPass. I am seeing the switch sending RADIUS packet to ClearPass but it is not hitting a policy for 802.1X authentication. The initial service policy is generic for wired 802.1x and seen below:

simon1112_0-1580365361235.png

Appreciate your advise. Thanks

DELL-Josh Cr

Moderator

 • 

9.6K Posts

 • 

42.1K Points

January 30th, 2020 10:00

Hi,

The ports that need MAB, enable MAB, if a port only needs Dot1x use that. If both are enabled it will try to authenticate with both methods.

simon1112

1 Rookie

 • 

3 Posts

January 30th, 2020 19:00

Hi Josh

Thanks for the reply. My usage case is I want the ports to be colorless. It can be a 802.1x device or non-802.1x device connected to the port. I believe this is pretty much standard connection method. 

I am able to authenticate a 802.1x enabled laptop and access network. However, I also see my laptop performing MAC-Authentication shortly after the 802.1x authentication. Based on my configurations above, is this normal/correct behavior? If not, is there anything wrong with my configurations? 

Thanks.

simon1112

1 Rookie

 • 

3 Posts

January 30th, 2020 21:00

Hi,

I like to know if it is possible to configure mab auth-type on N3048 running firmware 6.2.6.6. I did a trace on the RADIUS packet from switch to RADIUS server, I did not see CHAP/PAP challenge. 

Thanks

DELL-Josh Cr

Moderator

 • 

9.6K Posts

 • 

42.1K Points

January 31st, 2020 09:00

dot1x time-out guest-vlan-period you may want to try increasing the timeout.

Was this post helpful?

View All

0 events found

No Events found!

Top