Unsolved
This post is more than 5 years old
1 Rookie
•
124 Posts
0
3944
April 13th, 2017 11:00
N3000: Radius VLAN assignment
Hi,
I've tried assigning a VLAN via Radius, and I don't want/need to do fully fledged EAP (802.1x) but only MAC-based auth/MAB.
One of the messages I got was:
Time Stamp..................................... Apr 13 2017 18:04:21
Result Age..................................... 0 days, 1 hours, 33 minutes, 9 seconds
Interface...................................... Gi1/0/1
MAC-Address.................................... 001E.330B.7554
VLAN Assigned.................................. 1
VLAN Assigned Reason........................... Default Assigned VLAN
Filter Name....................................
Auth Status.................................... Authorized
Reason......................................... Authentication Successful, VLAN Assignment Feature Not Present for a MAB Client.
I found out that the VLAN is correctly assigned ("Dot1x Radius Authentication Successful for a MAB Client") if I configure Radius to perform an EAP dialog.
Why would EAP be necessary in order to get VLAN assignment via Radius to work?
Radius returns all necessary items (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id), there is no need to add EAP for that.
Bye,
Jammac
PS. Here's my current config:
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius-server host 1.2.3.4
key 123
usage 802.1x
int range gi 1/0/1-46
switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x max-users 4
dot1x mac-auth-bypass
authentication order mab
authentication priority mab
exit
0 events found
DELL-Josh Cr
Moderator
•
9.6K Posts
•
44 Points
0
April 13th, 2017 15:00
Hi,
What firmware version are you using? Are you using Windows as your RADIUS server? http://en.community.dell.com/techcenter/networking/w/wiki/11739.dell-networking-n-series-dot1x-mac-authentication-bypass
jammac
1 Rookie
•
124 Posts
0
April 13th, 2017 15:00
It's N3000 v6.3.2.4 and Freeradius v3.
I didn't say it wasn't working. I was simply asking why it had to be this complicated.
The switch could simply send an Access-Request to the Radius Server which would reply with a response (Access-Accept) containing all the necessary attributes and that would be it.
That's what it does anyway, but the switch only accepts the VLAN (Tunnel-Private-Group-ID) once a successful EAP dialogue inside the Radius session has taken place too. Why?
DELL-Josh Cr
Moderator
•
9.6K Posts
•
44 Points
0
April 14th, 2017 09:00
I will check with the engineering team.
DELL-Josh Cr
Moderator
•
9.6K Posts
•
44 Points
0
April 19th, 2017 17:00
I was not able to get a reason for why it is like this.
jammac
1 Rookie
•
124 Posts
0
April 20th, 2017 01:00
Too bad no one seems to know what's going on. Probably it's that way because Broadcom sell it that way, but that still is no explanation :)
Guess I'll try Professional Support on that and see how professional they are :)
md1x0n
1 Message
0
June 22nd, 2018 10:00
Were you able to force the EAP message inside RADIUS so that the switch would accept VLAN assigment with MAB?
We've been struggling with this same problem.