Supported Models:
- Dell Serie N Switches with OS 6
- Dell N15xx
- Dell N20xx
- Dell N30xx
- Dell N40xx
Not supported Models:
- Dell X Serie: too less features
- Dell S and Z Series: currently the MAB feature is missing on OS10.
Configuration
Hint: To avoid unexpected disconnection or shutdown of ports, it is advisable to disable dot1x authentication on trunk ports before enabling it. This applies to all ports, including those that are accessed remotely through protocols such as SSH, which could result in disconnection and inability to reconnect.
e.g. Trunkport on Gi1/0/24:
interface Gi1/0/24
dot1x port-control force-authorized
Global Settings for dot1x
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable
mab request format attribute 1 groupsize 12 separator . lowercase
radius server auth RADIUIS_IP_ADDRESS name "xeoxradius" key PRESHAREDKEY
dot1x dynamic-vlan enable
is required for dynamic vlan assignment via XEOX. If you like to use static vlan assignment on switch/port level, remove this line.
Configuring the Ports
interface Gi1/0/1
dot1x port-control mac-based
dot1x reauthentication
dot1x unauth-vlan 50
mab
authentication order mab
authentication priority mab
dot1x unauth-vlan 50
means, in case of authentication reject the device, that would be assigned to VLAN 50 - e.g. Guest/Internet Only VLAN.
Full Example of a test Switch
testn3k#show run
!Current Configuration:
!Software Capability "Stack Limit = 8, VLAN Limit = 1024"
!Image File "N3000AdvLitev6.5.4.3"
!System Description "Dell EMC Networking N3024, 6.5.4.3, Linux 3.6.5-e3cd5a07, Not Available"
!System Software Version 6.5.4.3
!
configure
vlan 50,88
exit
vlan 50
name "unauth"
exit
hostname "testn3k"
slot 1/0 1 ! Dell EMC Networking N3024
sntp unicast client enable
sntp server "pool.ntp.org" priority 3
stack
member 1 1 ! N3024
exit
interface vlan 1
ip address 192.168.100.248 255.255.255.0
exit
ip default-gateway 192.168.100.254
aaa accounting dot1x default start-stop radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable
mab request format attribute 1 groupsize 12 separator . lowercase
radius server auth 192.168.123.124
name "xeoxradius"
key 7 "XXXXXX"
exit
ip ssh server
application install SupportAssist auto-restart start-on-boot
application install hiveagent start-on-boot
!
interface Gi1/0/1
spanning-tree portfast
switchport mode general
switchport general pvid 50
dot1x port-control mac-based
dot1x reauthentication
dot1x unauth-vlan 50
mab
authentication order mab
authentication priority mab
exit
!
interface Gi1/0/5
spanning-tree portfast
switchport mode general
switchport general pvid 50
dot1x port-control mac-based
dot1x reauthentication
dot1x unauth-vlan 50
mab
authentication order mab
authentication priority mab
exit
!
interface Gi1/0/24
switchport mode general
switchport general allowed vlan add 88 tagged
switchport general allowed vlan add 1 tagged
dot1x port-control force-authorized
exit
snmp-server engineid local 800xxxxb9796
exit
testn3k#