Dell Switch N Series Dot1x MAC Authentication Bypass

Dot1x controls allows a network admin to apply role based policies across the network, along with other possible features.  In this document I’m going to show a setup of Mac-auth-bypass setup for an N-series switch along with the server backend configuration to authenticate  it in a different VLAN.

Part 1. Configure the Dell N-series for RADIUS at the CLI

1. Allows the switch to perform authentication:

console(config)# authentication enable

2. Enable port based dot1x authentication before traffic can be passed. (ATTENTION!!! If you configure remotely, first force the uplink port into an authorized state, otherwise you will loose switch after tis command):

dot1x system-auth-control

3.  Tells the switch to use the configured radius server for dot1x attemtps

aaa authentication dot1x default radius

4. Lets radius servers supply vlan changes based upon dot1x rules

aaa authorization network default radius 

5. Configure RADIUS server host:

radius-server host auth <SERVERIP>
name “Default-RADIUS-Server”
usage 802.1x
key “<SERVERKEY>”

6. Configure uplink port (force the uplink port into an authorized state):

Int gi1/0/48 
Switchport mode trunk dot1x port-control force-authorized

7. Host facing port configuretion:

int gi1/0/36 
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order mab

If you need assign vlan:

switchport mode general

From this stage switch will perform authentication utilizing the MAC address of the device for the username and password with an MD5 EAP type.

Part 2. Installing and Configuring the RADIUS server for Windows Server 2008R2 / 2012R2

As a best practice, use a dedicated server to handle device authentication.

1. Install Network Policy And Access Windows Server Role.

NPS02

NPS03

2. Go to NPS, expand on RADIUS Clients and Servers, right-click on RADIUS clients and choose new.

NPS01

3. FRIENDLY NAME = whatever you like. Probably the switch series name. ADDRESS is the IP Address or DNS name of the device (if you need put group of devices, use /mask). Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the Switch CLI in stage 1. Notice that we're using "RADIUS Standard" in advance tab.  There's no option for "Dell" and that's fine.  Click OK.

4. Create a new NPS Network Policy.

 NPS05

Right click on POLICIES -> NETWORK POLICY and click NEW. Give your policy a useful name. Click NEXT

ADD a Condition: Our condition is going to be USER GROUP. Click ADD.

Add group grom Active Directory. Members of this group will be authorised.

The Constraints tab is where you change what types of requests are allowed and if not met network access will be denied.  Switch uses MD5 encryption type, but this encryption was removed since Microsoft in Server 2008.  To re-enable it you have to perform a registry edit. This is REQUIRED, otherwise the EAP type will not negotiate and fail, thus the authentication will not occur. 

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4]
"RolesSupported"=dword:0000000a
"FriendlyName"="MD5-Challenge"
"Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\
  61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00
"InvokeUsernameDialog"=dword:00000001
"InvokePasswordDialog"=dword:00000001

When values are set, restart the NPS Service

NPS12

The last tab is Settings, this is where you define attributes to send back to the switch.  In our case we are sending back to move anyone who authenticates to the switch into vlan 20 and to allow them access.

NPS10

5. Create users and add them to the group.

User name should be in format of all capitals 1234567890AB, do not forget select "Store password using reversible encryption". Change password to 1234567890AB and you ready to authenticate the PC.

Part 4. Troubleshooting

Show dot1x interface <interface>
Show authentication statistics <interface>

AUST IT - Computer help out of hours, when you need it most.

Find out why we do it for less.

About

AUST IT will help you resolve any technical support issues you are facing onsite or remotely via remote desktop 24/7. More...

Contacts

Reservoir, Melbourne,
3073, VIC, Australia

Phone: 0422 348 882

This email address is being protected from spambots. You need JavaScript enabled to view it.

Sydney: 0481 837 077

Connect

Join us in social networks to be in touch.

Newsletter

Complete the form below, and we'll send you our emails with all the latest AUST IT news.