Are there any guides for the NPS side? After changing to switchport mode general, my existing 802.1x working computers are working now, and my MAC test devices are now giving IAS_INVALID_AUTH_TYPE
Is there any documentation on the way the N2000 acts when it is being an 802.1x supplicant instead?
Yes, we have the MAC added, and I've gone ahead and set the password per the latest CLI documentation. It still is returning an IAS_INVALID_AUTH_TYPE when attempting to connect. It would be nice if there were some configuration guides for common RADIUS solutions such as Microsoft NPS. I'll have to repeat this for a 55XX switch as well later on.
So at this point I have to tombstone this part of the project because Dell can't keep with standards throughout the industry. The N series sends the MAC as uppercase (and the password), while the 55XX line sends the MAC and password as lowercase (which is standard with most other vendors). Since we were forced into running both product lines and I don't have the financial resources to update all my switches, this means we can't use the MAC for authentication on these other devices.
For those who come here looking for closure, the Dell switches use MD5-Challege for their authentication protocol with NPS. Unfortunately this isn't enabled on newer versions of NPS. You need to add it via the following Microsoft article:
Is there any way to change the username/password sent by either an N2000 or Powerconnect 55xx when authenticating to a RADIUS server for MAC Authentication Bypass? Currently the N2000 sends the username and password as the uppercase version of the MAC Address, which is the opposite of pretty much every other standard, including the implementation on the Powerconnect 55xx. Since we have a mixed environment with both switches, it greatly impacts the ability to allow devices to "roam freely"
Just wanted to check and see if anyone had maybe put a bug in your ear about when the firmware was going to come out. Additionally, is there any way to become a beta tester for this?
So the firmware has been released and as seems typical with Dell it introduces another bug making it a no-go in our environment, plus it doesn't appear to be sending the MAC address in the correct format even if the radius attribute 31 configuration is set.
How can I report these bugs to systems engineering?
7 years and a couple of firmwares later I’m trying to introduce dot1x with dynamic vlan assignment through NPS radius, to my environment and it’s not working.
Did you ever got it to work? Could you post a sanitized running-config please
ordovice
11 Posts
0
June 29th, 2015 12:00
Are there any guides for the NPS side? After changing to switchport mode general, my existing 802.1x working computers are working now, and my MAC test devices are now giving IAS_INVALID_AUTH_TYPE
Is there any documentation on the way the N2000 acts when it is being an 802.1x supplicant instead?
ordovice
11 Posts
0
June 29th, 2015 14:00
Yes, we have the MAC added, and I've gone ahead and set the password per the latest CLI documentation. It still is returning an IAS_INVALID_AUTH_TYPE when attempting to connect. It would be nice if there were some configuration guides for common RADIUS solutions such as Microsoft NPS. I'll have to repeat this for a 55XX switch as well later on.
ordovice
11 Posts
1
June 30th, 2015 05:00
So at this point I have to tombstone this part of the project because Dell can't keep with standards throughout the industry. The N series sends the MAC as uppercase (and the password), while the 55XX line sends the MAC and password as lowercase (which is standard with most other vendors). Since we were forced into running both product lines and I don't have the financial resources to update all my switches, this means we can't use the MAC for authentication on these other devices.
ordovice
11 Posts
1
June 30th, 2015 11:00
For those who come here looking for closure, the Dell switches use MD5-Challege for their authentication protocol with NPS. Unfortunately this isn't enabled on newer versions of NPS. You need to add it via the following Microsoft article:
https://support.microsoft.com/en-us/kb/922574/en-us
Once that is done, you can now use NPS for MAC authentication on your ports.
The N-Series sends MAC addresses as username and password in all CAPS
The 55xx Powerconnect series sends MAC addresses as username and password in all lowercase
For a 55xx, the following is the code I have:
dot1x system-auth-control
aaa authentication dot1x default radius
interface vlan 1724
dot1x guest-vlan
interface gigabitethernet1/0/1
dot1x host-mode multi-sessions
dot1x guest-vlan enable
dot1x max-req 3
dot1x reauthentication
dot1x mac-authentication mac-and-802.1x
dot1x radius-attributes vlan
dot1x port-control auto
switchport access vlan none
For a N-series, we used the following:
dot1x port-control force-authorized
dot1x system-auth-control
aaa authentication dot1x default radius
dot1x dynamic-vlan enable
authentication enable
interface Gi1/0/3
description "MAB Test"
switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 5
dot1x max-req 3
dot1x unauth-vlan 1724
dot1x mac-auth-bypass
authentication order dot1x mab
authentication priority dot1x mab
exit
ordovice
11 Posts
0
June 30th, 2015 13:00
Is there any way to change the username/password sent by either an N2000 or Powerconnect 55xx when authenticating to a RADIUS server for MAC Authentication Bypass? Currently the N2000 sends the username and password as the uppercase version of the MAC Address, which is the opposite of pretty much every other standard, including the implementation on the Powerconnect 55xx. Since we have a mixed environment with both switches, it greatly impacts the ability to allow devices to "roam freely"
ordovice
11 Posts
0
July 1st, 2015 11:00
Would it be possible to get this submitted as a bug request, as this is not how the rest of the industry does this.
ordovice
11 Posts
0
July 8th, 2015 12:00
That would be great if it is in there.
Are they fixing the other RADIUS auth bugs as well?
ordovice
11 Posts
0
July 27th, 2015 11:00
Daniel,
Just wanted to check and see if anyone had maybe put a bug in your ear about when the firmware was going to come out. Additionally, is there any way to become a beta tester for this?
ordovice
11 Posts
0
September 16th, 2015 07:00
So the firmware has been released and as seems typical with Dell it introduces another bug making it a no-go in our environment, plus it doesn't appear to be sending the MAC address in the correct format even if the radius attribute 31 configuration is set.
How can I report these bugs to systems engineering?
Rodman_
3 Posts
0
October 16th, 2022 15:00
7 years and a couple of firmwares later I’m trying to introduce dot1x with dynamic vlan assignment through NPS radius, to my environment and it’s not working.
Did you ever got it to work? Could you post a sanitized running-config please
Pluzwo
3 Posts
0
November 29th, 2022 08:00
using firmwareupdate 6.6.x I was able to bend the request the way i wanted something like:
(in global config mode)
mab request format attribute 1 groupsize 12 separator - lowercase
Worked for me.