Unsolved
This post is more than 5 years old
1 Rookie
•
11 Posts
0
32158
September 8th, 2010 07:00
PC6248 - Radius Server and "vlan association mac" ?
Dear All,
We are redesigning our network, and need to configure VLAN's dynamically according to the MAC addesses of the attached device.
A static table on each switch is not an option, as our network has 120 switches and 2500 devices
We have some Brocade switches which will talk to a Radius Server, and set the VLAN dynamically with this config:
radius-server host 10.1.1.55 auth-port 1812 acct-port 1646 default
radius-server key 0 PASSWORD
interface ethernet 1/1/4
mac-authentication enable
mac-authentication enable-dynamic-vlan
etc... by port
The freeradius2 users file contains entries of this type:
# testpc1 gets vlan 4001, MAC is 00:25:64:f3:17:b2
002564f317b2 Cleartext-Password := "002564f317b2"
Service-Type = Framed-User,
Framed-MTU = 1514,
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = "U:4001",
Is it posssible to do anything similar with a PowerConnect 6248 running 3.2.0.7 code?
many thanks !
Jake
bh1633
909 Posts
0
September 8th, 2010 13:00
Look at the configuration guide chapter "802.1X Authentication and VLANs802.1X Authentication and VLANs".
The configuration guide is here:
http://support.dell.com/support/edocs/network/pc62xx/en/Config/config.zip
jakemrc
1 Rookie
•
11 Posts
0
September 9th, 2010 02:00
Hi BH,
Many thanks for the heads-up :)
I'd read the earlier chapter on VLANs, and should have continued onwards...
I'll post back here to report how we get on.
best wishes
Jake
jakemrc
1 Rookie
•
11 Posts
0
September 9th, 2010 10:00
Dear All,
A few steps further forward, but I'm still not there.
The 6248 switch happily authenticates a telnet login via our radius server, but the MAC>VLAN does not work.
Looking at the logs, I cannot see the switch contacting the radius server when we plug a device into a port.
I'd really appreciate it if someone could look through my config and see if they can spot my stupid mistakes...
Port status with a PC plugged in:
fm-switch4#show dot1x ethernet 1/g46
Administrative Mode............... Enabled
Port Admin Oper Reauth Reauth
Mode Mode Control Period
------- ------------------ ------------ -------- ----------
1/g46 mac-based Unauthorized FALSE 3600
Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 16
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Disabled
MAB mode (operational)......................... Disabled
Logical Supplicant AuthPAE Backend VLAN Username Filter
Port MAC-Address State State Id Id
------- ----------------- ------------ ----------- ----- -------- --------
720 001B.212B.BC86 Connecting Idle 1
Current config on the switch:
!Current Configuration:
!System Description "Powerconnect 6248, 3.2.0.7, VxWorks 6.5"
!System Software Version 3.2.0.7
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 10,4001,4005
exit
snmp-server contact "XXXXXXXXXXX"
hostname "fm-switch4"
sntp unicast client enable
sntp server 10.1.0.13
sntp server 10.1.0.29
stack
member 1 2
exit
ip address dhcp
ip domain-name lmb.internal
logging console debug
logging file debug
logging buffered debug
username "admin" password XXXXXXXXXXXXXXX level 15 encrypted
aaa authentication login "radiusList" radius local
ip http authentication local
ip https authentication local
dot1x system-auth-control
aaa authentication dot1x default radius
radius-server host auth 10.1.1.55
name "Default-RADIUS-Server"
priority 1
key "testing123"
exit
radius-server host auth 10.1.0.29
name "Default-RADIUS-Server"
priority 50
key "testing123"
exit
line telnet
login authentication radiusList
exit
line ssh
login authentication radiusList
exit
!
interface ethernet 1/g1
dot1x port-control force-authorized
exit
!!Current Configuration:
!System Description "Powerconnect 6248, 3.2.0.7, VxWorks 6.5"
!System Software Version 3.2.0.7
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 10,4001,4005
exit
snmp-server contact "XXXXXXXXXXX"
hostname "fm-switch4"
sntp unicast client enable
sntp server 10.1.0.13
sntp server 10.1.0.29
stack
member 1 2
exit
ip address dhcp
ip domain-name lmb.internal
logging console debug
logging file debug
logging buffered debug
username "admin" password XXXXXXXXXXXXXXX level 15 encrypted
aaa authentication login "radiusList" radius local
ip http authentication local
ip https authentication local
dot1x system-auth-control
aaa authentication dot1x default radius
radius-server host auth 10.1.1.55
name "Default-RADIUS-Server"
priority 1
key "testing123"
exit
radius-server host auth 10.1.0.29
name "Default-RADIUS-Server"
priority 50
key "testing123"
exit
line telnet
login authentication radiusList
exit
line ssh
login authentication radiusList
exit
!
interface ethernet 1/g1
dot1x port-control force-authorized
exit
!interface ethernet 1/g46
dot1x port-control mac-based
exit
!
interface ethernet 1/g48
switchport mode general
dot1x port-control mac-based
dot1x max-users 3
exit
snmp-server community public rw
exit
Many thanks for reading the above, all thought greeatly received..
Jake
bh1633
909 Posts
0
September 9th, 2010 13:00
The port must be in general mode in order to enable MAC-based 802.1X authentication.
jakemrc
1 Rookie
•
11 Posts
0
September 10th, 2010 04:00
Hi BH,
Many thanks for your reply. I've changed the config as you suggested, and added the general mode to port46 as follows:
!
interface ethernet 1/g46
switchport mode general
dot1x port-control mac-based
exit
!
Unfortunately this does not fix the problem: When I connect a PC and attempting to bring up it's NIC, the Radius Servers log does not show the Switch attempting to contact it. :(
Port status at this point on the 6248 is:
fm-switch4#show dot1x ethernet 1/g46
Administrative Mode............... Enabled
Port Admin Oper Reauth Reauth
Mode Mode Control Period
------- ------------------ ------------ -------- ----------
1/g46 mac-based Unauthorized FALSE 3600
Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 16
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Disabled
MAB mode (operational)......................... Disabled
Logical Supplicant AuthPAE Backend VLAN Username Filter
Port MAC-Address State State Id Id
------- ----------------- ------------ ----------- ----- -------- --------
720 0025.64F3.17B2 Connecting Idle 1
The radius server will authenticate a telnet session on the Dell, so I don't think it's a communication issue.
Can you see any further errors in my setup on the 6248?
ip address dhcp
ip domain-name lmb.internal
logging console debug
logging file debug
logging buffered debug
username "admin" password xxxxxxx level 15 encrypted
aaa authentication login "radiusList" radius local
ip http authentication none local
ip https authentication local none
dot1x system-auth-control
aaa authentication dot1x default radius
radius-server host auth 10.1.1.55
name "Default-RADIUS-Server"
priority 1
key "testing123"
exit
radius-server host auth 10.1.0.29
name "Default-RADIUS-Server"
priority 50
key "testing123"
exit
line telnet
login authentication radiusList
exit
line ssh
login authentication radiusList
exit
!
interface ethernet 1/g1
dot1x port-control force-authorized
exit
!
etc....
Many thanks for reading...!
Jake
bh1633
909 Posts
0
September 13th, 2010 10:00
Try putting the port in portfast.
interface ethernet 1/g46
spanning-tree portfast <<<<<<<<<<<<<<<<
switchport mode general
dot1x port-control mac-based
exit
Post the output of the following if you still have problems.
show dot1x
show dot1x clients all
show dot1x statistics ethernet
jakemrc
1 Rookie
•
11 Posts
0
September 14th, 2010 04:00
Dear BH,
Firstly, many thanks for your patience.
I have tried your suggestion, but still have problems.The complete running config is at the bottom of this post.
Radius authentication of a telnet session works, it's just the dot1x side that seems broken.
console#show dot1x
Administrative Mode............... Enabled
Port Admin Oper Reauth Reauth
Mode Mode Control Period
------- ------------------ ------------ -------- ----------
1/g1 force-authorized Authorized FALSE 3600
1/g2 auto N/A FALSE 3600
1/g3 auto N/A FALSE 3600
1/g4 auto N/A FALSE 3600
1/g5 auto N/A FALSE 3600
1/g6 auto N/A FALSE 3600
1/g7 auto N/A FALSE 3600
1/g8 auto N/A FALSE 3600
1/g9 auto N/A FALSE 3600
1/g10 auto N/A FALSE 3600
1/g11 auto N/A FALSE 3600
1/g12 auto N/A FALSE 3600
1/g13 auto N/A FALSE 3600
1/g14 auto N/A FALSE 3600
1/g15 auto N/A FALSE 3600
1/g16 auto N/A FALSE 3600
1/g17 auto N/A FALSE 3600
1/g18 auto N/A FALSE 3600
1/g19 auto N/A FALSE 3600
1/g20 auto N/A FALSE 3600
1/g21 auto N/A FALSE 3600
1/g22 auto N/A FALSE 3600
1/g23 auto N/A FALSE 3600
1/g24 auto N/A FALSE 3600
1/g25 auto N/A FALSE 3600
1/g26 auto N/A FALSE 3600
1/g27 auto N/A FALSE 3600
1/g28 auto N/A FALSE 3600
1/g29 auto N/A FALSE 3600
1/g30 auto N/A FALSE 3600
1/g31 auto N/A FALSE 3600
1/g32 auto N/A FALSE 3600
1/g33 auto N/A FALSE 3600
1/g34 auto N/A FALSE 3600
1/g35 auto N/A FALSE 3600
1/g36 auto N/A FALSE 3600
1/g37 auto N/A FALSE 3600
1/g38 auto N/A FALSE 3600
1/g39 auto N/A FALSE 3600
1/g40 auto N/A FALSE 3600
1/g41 auto N/A FALSE 3600
1/g42 auto N/A FALSE 3600
1/g43 auto N/A FALSE 3600
1/g44 auto N/A FALSE 3600
1/g45 auto N/A FALSE 3600
1/g46 auto Unauthorized FALSE 3600
1/g47 auto N/A FALSE 3600
1/g48 mac-based Unauthorized FALSE 3600
1/xg1 auto N/A FALSE 3600
1/xg2 auto N/A FALSE 3600
1/xg3 auto N/A FALSE 3600
1/xg4 auto N/A FALSE 3600
console#show dot1x clients all
(blank reply)
console#show dot1x ethernet 1/g48
Administrative Mode............... Enabled
Port Admin Oper Reauth Reauth
Mode Mode Control Period
------- ------------------ ------------ -------- ----------
1/g48 mac-based Unauthorized FALSE 3600
Quiet Period................................... 60
Transmit Period................................ 30
Maximum Requests............................... 2
Max Users...................................... 16
Supplicant Timeout............................. 30
Guest-vlan Timeout............................. 90
Server Timeout (secs).......................... 30
MAB mode (configured).......................... Disabled
MAB mode (operational)......................... Disabled
Logical Supplicant AuthPAE Backend VLAN Username Filter
Port MAC-Address State State Id Id
------- ----------------- ------------ ----------- ----- -------- --------
752 001B.212B.BC86 Connecting Idle 1
Running Config (Switch reset to defaults, and minimal entries created):
console#show running-config
!Current Configuration:
!System Description "Powerconnect 6248, 3.2.0.7, VxWorks 6.5"
!System Software Version 3.2.0.7
!Cut-through mode is configured as disabled
!
configure
stack
member 1 2
exit
ip address dhcp
username "admin" password XXXXXXXXXXXXXXXX level 15 encrypted
aaa authentication login "radiusList" radius
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius-server key "testing123"
radius-server host auth 10.1.1.55
name "Default-RADIUS-Server"
exit
line telnet
login authentication radiusList
exit
!
interface ethernet 1/g1
dot1x port-control force-authorized
exit
!
interface ethernet 1/g48
spanning-tree portfast
switchport mode general
dot1x port-control mac-based
exit
snmp-server community public rw
exit
Would it be possible for you to email me a running config that I can try loading onto the switch?
Again, many thanks for you time.
Jake
bh1633
909 Posts
0
September 16th, 2010 09:00
Your switch looks configured correctly. What about your clients? Are they configured for 802.1x authentication using PEAP
bh1633
909 Posts
0
September 16th, 2010 16:00
A colleague of mine who is an expert in this area wanted to respond to this post but got locked out of the forum. Here is his response:
Hey Jake,
So, after verifying that you indeed have PEAP enabled on your clients, if you still are having problems, take a look at the following configuration file. I just downloaded version 3.2.0.7 and verified that my clients are authenticating correctly. Here is my config (where port 1/g7 is the client port):
!Current Configuration:
!System Description "Powerconnect 6248P, 3.2.0.7, VxWorks 6.5"
!System Software Version 3.2.0.7
!Cut-through mode is configured as disabled
!
configure
vlan database
vlan 2-4,10,20,30,40,50,60,70,80,90,100,4001
exit
hostname "Kinnick6248"
stack
member 1 5
exit
switch 1 priority 1
ip address 99.99.99.111 255.255.255.0
ip domain-name contoso.com
ip name-server 99.99.99.1
interface vlan 2
name "NONCOMPLIANT_VLAN"
exit
interface vlan 3
name "COMPLIANT_VLAN"
exit
interface vlan 4
name "NORMAL_DOT1X_NO_NAP"
exit
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius-server key "secret"
radius-server host auth 99.99.99.2
name "Default-RADIUS-Server"
exit
!
interface ethernet 1/g1
dot1x port-control force-authorized
exit
!
interface ethernet 1/g7
switchport mode general
switchport general pvid 3
dot1x port-control mac-based
dot1x max-req 3
exit
!
interface ethernet 1/g13
dot1x port-control force-authorized
exit
!
Andy
jakemrc
1 Rookie
•
11 Posts
0
September 17th, 2010 10:00
Dear Andy / BH,
Again, many thanks for trying to help :emotion-2:
I think there is some slight confusion here, perhaps I've been unclear.
I'm trying to avoid running a 802.1x authentication program on the client, so I'd like the switch to pick up the devices MAC address, and forward this to the radius server. i.e. our clients don't have 802.1x supplicant ability. The end result should be that we plug a dumb Printer / Linux Box in, and the switch asks radius which VLAN the client should be put into. I know it's not "secure" but it will enable us to assign 802.1x ignorant machines to VLANs fairly easily.
The appropriate port config on a Brocade switch is this:
interface ethernet 1/1/4
mac-authentication enable
mac-authentication enable-dynamic-vlan
Should we instead be using "dot1x mac-auth-bypass"?
If so, should the following be all that is needed?
!
interface ethernet 1/g7
switchport mode general
switchport general pvid 3
dot1x port-control mac-based
dot1x mac-auth-bypassexit
Incidentally, I did try using 802.1x on a WIndows Vista client connected to the PC6248 using your config, and this successfully authenticated when we typed in the clients MAC address as username and password, so it appears that the Radius server is working OK.
Again, thanks for your help!
best wishes
Jake
bh1633
909 Posts
0
September 17th, 2010 15:00
Yes you have to use MAB for this. The configuration guide has an example configuration.