Define Radius service type

Hi,

What model switches are you using? http://downloads.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_networking/esuprt_net_fxd_prt_swtchs/networking-n3000-series_Deployment%20Guide4_en-us.pdf Page 698 service type is attribute 6. Use radius server attribute command to add it.

Hi Josh,

Thank for your quick reply. We are using PowerConnect 5548P and 7048P. There are no other attributes than attribute 4 but even omitting the attribute and setting one attribute as a requirement to go through MAB authentication it does not succeed because we get an error stating "Invalid or unexpected EAP payload received "

In our wire-shark tcp dump we can see "EAP message" with Identity: 20898424d6c9 (MAC)

and Output from ISE:

  11001 Received RADIUS Access-Request

  11017 RADIUS created a new session

  15049 Evaluating Policy Group

  15008 Evaluating Service Selection Policy

  15048 Queried PIP

  15048 Queried PIP

  15048 Queried PIP

  15004 Matched rule

  11507 Extracted EAP-Response/Identity

  12300 Prepared EAP-Request proposing PEAP with challenge

  11006 Returned RADIUS Access-Challenge

  11001 Received RADIUS Access-Request

  11018 RADIUS is re-using an existing session

  11500 Invalid or unexpected EAP payload received

  11504 Prepared EAP-Failure

  11003 Returned RADIUS Access-Reject

  5434 Endpoint conducted several failed authentications of the same scenario

is there a way to enable just plain text MAB authentication on the switch, so that it sends username and password as plain MAC address?

Best Regards,

Marek Pietrulewicz

I know that command :-)

This does not help. I can see in the logs that ISE receives authentication request for the device. There is MAC address as a username, no password, calling-station-ID also as MAC, but I can also see EAP-message within the packet which ISE is complaining about.

AVP: l=19 t=EAP-Message(79) Last Segment[1]

EAP fragment

Extensible Authentication Protocol

Code: Response (2)

Id: 0

Length: 17

Type: Identity (1)

Identity: 20898424d6c9  <----- MAC

We did not have any problem of that kind with Cisco switches but I can see from packet capture that there are other attributes that cisco switches provide and EAP field is empty;

AVP: l=2 t=EAP-Key-Name(102):

EAP-Key-Name:

any ideas?

there it is. would appreciate any help.

vlan database

vlan 40,50

exit

voice vlan oui-table add 000181 Nortel__________________

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 001049 Shoretel________________

voice vlan oui-table add 001b4f AVAYA_STST

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00907a Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

voice vlan id 40

dot1x system-auth-control

iscsi target port 860 address 0.0.0.0

iscsi target port 3260 address 0.0.0.0

iscsi target port 9876 address 0.0.0.0

iscsi target port 20002 address 0.0.0.0

iscsi target port 20003 address 0.0.0.0

iscsi target port 25555 address 0.0.0.0

hostname test-switch

radius-server host 10.32.202.71 key XXXXXXXX priority 1 usage dot1.x

aaa authentication dot1x default radius

username admin password encrypted 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 pr

ivilege 15

snmp-server community Dell_Network_Manager rw view DefaultSuper

!

interface vlan 1

ip address 10.49.0.37 255.255.254.0

!

interface vlan 40

name voice

!

interface vlan 50

name Guest

dot1x guest-vlan

!

interface gigabitethernet1/0/1

switchport mode trunk

switchport general allowed vlan add 1 untagged

!

!

interface gigabitethernet1/0/26

dot1x guest-vlan enable

dot1x reauthentication

dot1x mac-authentication mac-and-802.1x

dot1x port-control auto

spanning-tree portfast

switchport mode trunk

switchport trunk allowed vlan remove 40

voice vlan enable

!

!

ip route 0.0.0.0 0.0.0.0 10.49.1.251

by the way, in near future we want to implement  IP Phone system in the company (don't be mislead by existing voice vlan, it's only for testing there) and I can now see that authentication modes on the switches are multi-host or multi-session. What our expectation is, to have both devices authenticated independently on single port and in case of failed computer authentication, put the clients to guest vlan instead of corporate vlan. As for now, i can properly authenticate phone with 802.1x but only when i connect one device on the port; either phone or workstation. However when connecting a PC behind the phone then once phone successfully passes authentication, setting incorrect password on the workstation connected to the phone results in being authenticated as well. this is not what we want. I have worked with other switches with multi-domain port configuration and this nicely separated voice and data vlans on one single interface, as well as provided individual authentication for each client. How is this achieved with dell 5548P ? Regards!

Sure, I will do tomorrow, but trunk is not the only type of port I tested the MAB on. I have done that also on access / general ports. but will do that one more time. the trunk was for testing purposes of voice vlan on the port as per;

en.community.dell.com/.../configuring-dell-powerconnect-55xx-series-switch-voice-vlan

what about multi domain authentication on the ports? is this possible with dell 5548P to achieve what I described above?

Marek

It is still the same issue. changing between port types does not give any different result...

Regards,

Marek

Hello Kfleten,

I'm facing a problem look like yours;

Here i'm using a PCT 5548 with DOT1X and MAB authentication. Dot1x works without problems, but mab when the device try to authenticate I was recieve that error in ISE "Invalid or unexpected EAP payload received"

How did you solved that?

Solved,

In ISE on allowed protocols settings I've choice the preferred protocol as EAP-TLS. Dell Switches uses that flow in authentications MAB>DOT1X and this flow we can't change, so the preferred protocol is EAP-TLS.