Dot1x controls allows a network admin to apply role based policies across the network, along with other possible features. In this document I’m going to show a setup of Mac-auth-bypass setup for an N-series switch along with the server backend configuration to authenticate it in a different VLAN.
Part 1. Configure the Dell N-series for RADIUS at the CLI
1. Allows the switch to perform authentication:
console(config)# authentication enable
2. Enable port based dot1x authentication before traffic can be passed. (ATTENTION!!! If you configure remotely, first force the uplink port into an authorized state, otherwise you will loose switch after tis command):
dot1x system-auth-control
3. Tells the switch to use the configured radius server for dot1x attemtps
aaa authentication dot1x default radius
4. Lets radius servers supply vlan changes based upon dot1x rules
aaa authorization network default radius
5. Configure RADIUS server host:
radius-server host auth <SERVERIP>
name “Default-RADIUS-Server”
usage 802.1x
key “<SERVERKEY>”
6. Configure uplink port (force the uplink port into an authorized state):
Int gi1/0/48
Switchport mode trunk dot1x port-control force-authorized
7. Host facing port configuretion:
int gi1/0/36
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order mab
If you need assign vlan:
switchport mode general
From this stage switch will perform authentication utilizing the MAC address of the device for the username and password with an MD5 EAP type.
Part 2. Installing and Configuring the RADIUS server for Windows Server 2008R2 / 2012R2
As a best practice, use a dedicated server to handle device authentication.
1. Install Network Policy And Access Windows Server Role.
2. Go to NPS, expand on RADIUS Clients and Servers, right-click on RADIUS clients and choose new.
3. FRIENDLY NAME = whatever you like. Probably the switch series name. ADDRESS is the IP Address or DNS name of the device (if you need put group of devices, use /mask). Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the Switch CLI in stage 1. Notice that we're using "RADIUS Standard" in advance tab. There's no option for "Dell" and that's fine. Click OK.
4. Create a new NPS Network Policy.
Right click on POLICIES -> NETWORK POLICY and click NEW. Give your policy a useful name. Click NEXT
ADD a Condition: Our condition is going to be USER GROUP. Click ADD.
Add group grom Active Directory. Members of this group will be authorised.
The Constraints tab is where you change what types of requests are allowed and if not met network access will be denied. Switch uses MD5 encryption type, but this encryption was removed since Microsoft in Server 2008. To re-enable it you have to perform a registry edit. This is REQUIRED, otherwise the EAP type will not negotiate and fail, thus the authentication will not occur.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4]
"RolesSupported"=dword:0000000a
"FriendlyName"="MD5-Challenge"
"Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\
61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00
"InvokeUsernameDialog"=dword:00000001
"InvokePasswordDialog"=dword:00000001
When values are set, restart the NPS Service
The last tab is Settings, this is where you define attributes to send back to the switch. In our case we are sending back to move anyone who authenticates to the switch into vlan 20 and to allow them access.
5. Create users and add them to the group.
User name should be in format of all capitals 1234567890AB, do not forget select "Store password using reversible encryption". Change password to 1234567890AB and you ready to authenticate the PC.
Part 4. Troubleshooting
Show dot1x interface <interface>
Show authentication statistics <interface>