Computer and IT knowledge - things to know

Dell Switches N2000 Series (N2024P) - Mac address authentication -- freeradius

Dell Switches N2000 Series (N2024P)

tested with version 6.6.3.17


####################################
# Static Port security
####################################
#How to configure MAC based port security on Dell N2000, N3000, and N4000 series switches.
https://www.dell.com/support/kbdoc/de-de/000121440/how-to-configure-mac-based-port-security-on-dell-n2000-n3000-and-n4000-series-switches?lang=en

#turn on port security on port gi1/0/1 (needs configure mode)
switchport port-security
interface gi1/0/1
> switchport port-security #turn on security
> switchport port-security maximum 5 #define a maxium of 5 mac-addresses on this port

>> now all learned mac-addresses will be removed on interface gi1/0/1 and the port will authenticate them

#add static mac-addresses to an interface
console(config)# mac address-table static abcd.2233.1221 vlan 1 interface gi1/0/1

####################################
# Dynamic / Radius based Port security (mac-authentication)
####################################

console#configure
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control #enable 802.1 port-based access
console(config)#authentication enable

console(config)#radius server <radius-server-ip>
console(config)#radius server key <your-radius-key>

console(config)#aaa authorization network default radius #allow the radius server to assign vlans

#enable authentiction on device port
#MAC Authentication Bypass (MAB) >> authenticate using a MAC address as identifier
#using freeradius as authentication servers needs mab authtype pap or chap!!
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#authentication port-control auto
console(config-if-Gi1/0/1)#mab
console(config-if-Gi1/0/1)#mab auth-type pap
console(config-if-Gi1/0/1)#switchport mode general

#uplink interface > no authentication on this port
console(config)#interface gigabitethernet 1/0/24
console(config-if-Gi1/0/24)#authentication port-control force-authorized

####################################
# useful show commands
####################################
show authentication statistics gigabitethernet 1/0/1
console(config)#show authentication
console#show authentication clients all
show authentication interface gigabitethernet 1/0/1
show radius statistics
show dot1x users #show authenticated users
show dot1x statistics gigabitethernet 1/0/1


####################################
# Documentation
####################################
https://usermanual.wiki/Dell/DellDellNetworkingN2000SeriesUsersManual136323.1551399830/html#pf42

Name of document:
Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON and N3200-ON Switches User’s Configuration Guide Version 6.6.3
page 371: Authentication, Authorization, and Accounting

####################################
useful common dell switch commands:
####################################

#turn on ssh server
console(config)# ip ssh server

#see interfaces
show interfaces status

save settings:
console#copy running-config startup-config

#set user / password with high privileges
console(config)#username admin password adminadmin privilege 15
#privilege 15 means read and write access


#what is the ip address of the switch?
show ip interface



####################################
#log messages
####################################

#after successful mac authentication you should see in the log
<190> Dec 15 14:02:59 172.16.99.20-1 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 548 %% INFO Client authorized on port (Gi1/0/1) with VLAN type RADIUS.

###################################
# Sample Configs
###################################

#######
#interface gi1/0/1 with some mac-auth settings
#######
interface Gi1/0/1
switchport mode general
authentication event fail action authorize vlan 200
authentication event no-response action authorize vlan 300
authentication periodic
authentication timer reauthenticate 300
authentication timer restart 60
mab
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit


#######
# Sample config when tested with freeradius server
#######
!Current Configuration:
!System Description "Dell EMC Networking N2024P, 6.6.3.17, Linux 4.14.138, Not Available"
!System Software Version 6.6.3.17
!
configure
vlan 99
exit
vlan 99
name "isolated"
exit
slot 1/0 3 ! Dell EMC Networking N2024P
stack
member 1 2 ! N2024P
exit
interface vlan 1
ip address dhcp
exit
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server key 7 "asdlfjasdlkfjasdklfj"
radius server auth 192.168.2.87
name "Default-RADIUS-Server"
exit
application install SupportAssist auto-restart start-on-boot
!
interface Gi1/0/1
switchport mode general
authentication timer reauthenticate 300
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
snmp-server engineid local 800002a203fasfasdfasdf
eula-consent hiveagent reject
exit

computer2know :: thank you for your visit :: have a nice day :: © 2024