Hello @lk2819,

Here you have the CLI guide for the N series: https://downloads.dell.com/manuals/all-products/esuprt_networking_int/esuprt_networking_switches_series/networking-n3000-series_cli-guide8_en-us.pdf

As you can see is the same for N2XXX than N3XXX. If this configuration is not possible in the N3048P and yes in the N2048P maybe somthing is missing.

What error do you have? Is simply not taking the command?

Regards.

Hi Diego,

The command is not recognized on any N3048P switch I have (screenshot is from N3048P with firmware version 6.5.4.18, currently the latest firmware available for this switch):

What command can I use on the N3048P to configure a simuliar outcome? 

Hello @lk2819,

 

I am trying to find the answer for your. I will answer back as soon as I have any recomendations.

 

Regards.

Dear Diego,

Did you manage to find an answer to my case? Currently the lack of this functionality holds up one of our internal projects.

 

Hope to hear from you soon, thanks!

Hello @lk2819

No so far.. All I can see is that "authentication event server dead action" is not being recogniced in the N3048P. Cli guide shows that syntax was added in version 6.6 firmware. However, newest version for N3000 series is 6.5.4.18. Not possible to further update.

I am still looking for an answer.

Regards.

Hello @lk2819

 

I escalated the case to networking engineer team, and they confirmed these commands are supported in 6.6.x version.

 

However, the latest firmware for N3048P is 6.5.4.18 so there is not a 6.6.x fw version for the N3048P and then this command is not supported on N3048P.

 

Sorry about this.

Regards.

Hi Diego,

 

Disappointing to hear the command isn't available and will (most likely) not be added since there is no 6.6.x firmware for this type of switch.

To verify; there is no other function / command to achieve the same goal on this switch / firmware? The only goal is to configure a sort of fallback vlan for when the radius server is not responding or offline (due to a technical issue, for instance). We must be able to configure this somehow, right? 

 

Hoping to hear from you or the network engineering team, thanks again. 

Hello @lk2819,

I've been asking the engineering team and trying to find it also by myself in the CLI guide ans I am sorry to say I didn't found any other way to failover to vlan in case radius server is not responding.

Regards.

Hello again @lk2819,

A colleague from Engineering team reached me regarding this case. Again, they confirm that N3048 doesn't have the authentication event fail action authorize vlan 40 command.

However, If you need to configure 802.1x for endpoints that connecting to our switch failed, you can try dot1x unauth-vlan vlanid command.

For more details, you can find this configuration in the N series guide .6.5 around page 377 (Authentication, Authorization and Accounting --> Configuring Additional 802.1x Interface settings).

Hope this helps.
Regards.

Hi Diego,

 

Thank you for the alternative option, however, my endpoint never gets in the unauthenticated VLAN. I've configured a fake radius server IP (which do not respond to radius packets / IP is offline). The connecting client times out and show as unauthenticated when issuing the command 'show dot1x authentication-history gigabitethernet 3/0/5' but does not get in to VLAN 40 (unauthenticated vlan id). Am I missing something in my port-configuration to get this to work? 

TESTSWITCH-N3048#show running-config interface gigabitethernet 3/0/5

description "NAC ENABLED"
spanning-tree portfast
switchport mode general
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout quiet-period 1
dot1x timeout tx-period 1
dot1x timeout guest-vlan-period 10
dot1x timeout server-timeout 10
dot1x max-req 3
dot1x unauth-vlan 40
dot1x max-reauth-req 3
mab
authentication order dot1x mab
authentication priority dot1x mab

 

Hello @lk2819,

No.. I think you are not missing anything else. Maybe this options is not good for what you need to configure.

Regards.

Hi Diego, 

 

We need this functionality in our environment to ensure maximum up-time, can you ask the engineering team to make sure this is the way to configure this?

 

Thank you in advance. 

Hello again @lk2819,

Ok, I have launched the question to the networkin engineering team. I hope to have an answer soon.

Regards.

Hello @lk2819

 

I have an answer from the team:

 

            The unauthenticated VLAN is used when authenticated failed with radius server for some reason (username/password mismatch, format error tec.), so need to communicate with radius server successfully. Customer may also try the guest VLAN when end device users that are unable to support 802.1X authentication, but this feature can’t be used with MAB at the same time.

 

Hope this helps.

 

Regards.