We are trying to configure our N2000's to do 802.1x certificate based authentication, but want the ability to provide MAC based authentication as well. Our current config is as follows:
!Current Configuration:
!System Description "Dell Networking N2048P, 6.2.1.6, Linux 3.6.5-a5c6fee7"
!System Software Version 6.2.1.6
!
configure
vlan 1000,1100,1200-1202,1724
exit
ip telnet server disable
hostname "QD_CORE_8021x"
slot 1/0 9 ! Dell Networking N2048P
sntp unicast client enable
sntp server 129.6.15.28
sntp server 129.6.15.29
clock timezone -5 minutes 0
stack
member 1 9 ! N2048P
exit
logging 10.10.10.46
level notifications
exit
ip http secure-session hard-timeout 24
ip http secure-session soft-timeout 5
interface vlan 1201 2
ip address 10.20.201.4 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 10.20.201.1
username "<snip>" password <snip> privilege 15 encrypted
aaa authentication login "defaultList" local
aaa authentication login "radiuslogin" radius local
aaa authentication enable "radiusenable" radius enable
ip http authentication radius local
ip https authentication radius local
aaa authorization exec "dfltExecAuthList" radius
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable
voice vlan
radius-server key "<snip>"
radius-server host auth 10.10.10.56
primary
name "JRNPS01"
exit
!
interface Gi1/0/1
description "Normal 802.1x - No MAC"
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x max-req 10
dot1x guest-vlan 1724
dot1x unauth-vlan 1724
authentication order dot1x
authentication priority dot1x
exit
!
interface Gi1/0/2
description "Normal non-802.1x Access"
switchport access vlan 1100
dot1x port-control force-authorized
exit
!
interface Gi1/0/3
description "MAB Test"
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 5
dot1x unauth-vlan 1100
dot1x mac-auth-bypass
authentication order dot1x mab
authentication priority dot1x mab
exit
When plugging in a computer to Gi1/0/3 it authenticates with Microsoft NPS and I can see the Access-Accept sending the correct attributes, yet the authentication never gets back to the computer authenticating. The computer sees it as authentication failed, and never gets an IP address at all (not even seeing the unauth VLAN). The same computer plugged into Gi1/0/1 authenticates just fine and receives what I would expect it to receive.
Does anyone have any guides or thoughts as to why this could be happening?
Second question, related is how do I get MAB working properly? Are there any guides from Dell on this?