Ethernet 802.x1 configuration – Dell

In this topic, you will learn how to configure selected Dell switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.

Important:
This guide gives general instructions for integrating Portnox Cloud with specific third-party devices. We try to provide useful examples for common models, but settings can differ between manufacturers, models, and environments. Because of this, we cannot guarantee these steps will work in every case. For questions or problems with RADIUS setup – which is an industry standard and not specific to Portnox – or with device-specific settings and troubleshooting, we recommend checking the device manufacturer’s documentation and contacting their support team. Portnox Support can help when possible, but detailed setup of third-party devices is usually best handled by the manufacturer. We also recommend updating your NAS device firmware to the latest version, as old firmware can cause issues.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.

Dell 3000 series with OS9

In this section, you will learn how to configure the Dell 3000 series switches with Dell Networking OS9 to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning:
This configuration was tested on Dell 3148 but it might not work on all Dell 3000 series models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and firmware version.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
Important:
Make sure that your Dell switch is running the latest firmware. Older Dell firmware is known to improperly handle and forward 802.1X packets, which makes it impossible to work with RADIUS authentication. This was, for example, observed for firmware 6.8.1.0 for Dell N3248P switches.
  1. Set all ports on the switch to force authorized (this includes Ten Gigabit interfaces, if applicable).
    Important:
    This is a temporary step before you can turn on auto mode. If you do not set all the ports to force authorized before turning on dot1x authentication and setting up your RADIUS servers, all ports will be blocked. This includes your trunk and uplink ports, making the switch unreachable. To fix this, you would need to reboot the switch. This issue is specific to Dell switches.
    1. Set all standard Gigabit ports to force authorized using the range command. 
      interface range gi 1/1-1/48
  dot1x port-control force-authorized 
  exit
    2. Repeat the previous step for each switch in the stack (if not a single switch). 
      interface range gi 2/1-2/48
  dot1x port-control force-authorized 
  exit 
interface range gi 3/1-3/48
  dot1x port-control force-authorized 
  exit
    3. Set all Ten Gigabit ports to force authorized (depends on the switch number in the stack). 
      interface range Te 1/49-1/52
  dot1x port-control force-authorized
  exit 
interface range Te 2/49-2/52
  dot1x port-control force-authorized 
  exit
interface range Te 3/49-2/52
  dot1x port-control force-authorized 
  exit
  2. Globally enable 802.1X on the switch or switch stack. 
    dot1x authentication
  3. Confirm that the switch remains up and working, then save the configuration. 
    write mem
  4. Add global AAA commands that are not unique to the switch (Dell 3100 require very few AAA commands). 
    aaa accounting dot1x default start-stop radius
  5. Add the Portnox Cloud US RADIUS server as the primary for authentication and accounting.
    Important:
    The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
    radius-server
  host 20.119.69.248
  key 0 rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  auth-port 10322
  acct-port 10323
  exit
  6. Add the Portnox Cloud EU RADIUS server as the secondary (if required). 
    radius-server
  host 52.232.122.157
  key 0 fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  auth-port 10476
  acct-port 10477
  exit
  7. Add the source interface of the switch that you are enabling. This interface must be able to reach the Portnox public RADIUS IP. 
    ip radius source-interface Vlan 1
  8. Enable each interface for 802.1X by setting the mode to auto and add basic dot1x commands. 
    no ip address
portmode hybrid
switchport
service-policy input VOIP
dot1x authentication
dot1x port-control auto
dot1x reauth-max 1
dot1x tx-period 10
dot1x host-mode multi-auth
dot1x mac-auth-bypass
  9. You can enable multiple interfaces at once using the range command (the example below enables interfaces for ports 20 to 48). 
    interface range gi 1/20-1/48
  dot1x authentication
  dot1x port-control auto
  dot1x reauth-max 1
  dot1x tx-period 10
  dot1x host-mode multi-auth
  dot1x mac-auth-bypass
  exit
  10. To allow printers to authorize quicker and to allow Wake-On-Lan for printing, a printer port can be optimized to use MAB only. 
    interface range gi 1/29
  dot1x port-control auto
  dot1x host-mode single-host
  dot1x tx-period 10
  dot1x mac-auth-bypass
  dot1x auth-type mab-only
  exit
  11. Configure a critical VLAN
    Note:
    If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    Note:
    This function may be unsupported on some switches. Consult Dell documentation for more information about its availability for your specific model and software version.
    interface range gi 1/20-1/48
  dot1x critical-vlan 10
  12. Confirm that 802.1X devices are authenticating via credentials, certificates, or MAC bypass in the Portnox Cloud alerts. Then, save the configuration. 
    wr

Dell E3200 series with SONiC

In this section, you will learn how to configure the Dell E3200 series switches with the SONiC OS to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning:
This configuration was tested on Dell E3248P-ON with SONiC 4.5.1 but it might not work on all Dell 3000 series models and OS/firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and OS/firmware version.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
Important:
Make sure that your Dell switch is running the latest firmware. Older Dell firmware is known to improperly handle and forward 802.1X packets, which makes it impossible to work with RADIUS authentication. This was, for example, observed for firmware 6.8.1.0 for Dell N3248P switches.
  1. Enter global configuration mode. 
    conf t
  2. Configure the RADIUS servers, shared keys, and source interfaces. 
    radius-server host 20.119.69.248
  auth-port 10322
  acct-port 10323
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  source-interface Management0
    radius-server host 52.232.122.157
  auth-port 10476
  acct-port 10477
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  source-interface Management0
  3. Optional: Enable authentication monitoring for visibility and troubleshooting. 
    authentication monitor
  4. Globally enable 802.1X authentication enforcement on the switch. 
    dot1x system-auth-control
  5. Select the interface or interface range where authentication will be applied. 
    interface Eth1/1-1/2,1/7,1/12-1/15
  6. Set the port to act as the 802.1X authenticator. 
    dot1x pae authenticator
  7. Automatically authorize or block the port based on authentication results. 
    authentication port-control auto
  8. Allow multiple authenticated devices on the same physical port. 
    authentication host-mode multi-auth
  9. Attempt 802.1X authentication first, then fall back to MAB if needed. 
    authentication order dot1x mab
  10. Prefer 802.1X over MAB when both authentication methods succeed. 
    authentication priority dot1x mab
  11. Enable MAC Authentication Bypass for non-802.1X-capable devices. 
    mab
  12. Exit configuration mode. 
    end
  13. Save the configuration so it persists after reboot. 
    write memory

Dell 5524 PowerConnect

In this section, you will learn how to configure the Dell 5524 PowerConnect switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning:
This configuration was tested on Dell 5524 but it might not work on all related models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and firmware version.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
  1. Set all ports on the switch to force authorized (this includes Ten Gigabit interfaces, if applicable).
    Important:
    This is a temporary step before you can turn on auto mode. If you do not set all the ports to force authorized before turning on dot1x authentication and setting up your RADIUS servers, all ports will be blocked. This includes your trunk and uplink ports, making the switch unreachable. To fix this, you would need to reboot the switch. This issue is specific to Dell switches.
    1. Set all standard Gigabit ports to force authorized using the range command. 
      interface range gi 1/1-1/48
  dot1x port-control force-authorized 
  exit
    2. Repeat the previous step for each switch in the stack (if not a single switch). 
      interface range gi 2/1-2/48
  dot1x port-control force-authorized 
  exit 
interface range gi 3/1-3/48
  dot1x port-control force-authorized 
  exit
    3. Set all Ten Gigabit ports to force authorized (depends on the switch number in the stack). 
      interface range Te 1/49-1/52
  dot1x port-control force-authorized
  exit 
interface range Te 2/49-2/52
  dot1x port-control force-authorized 
  exit
interface range Te 3/49-2/52
  dot1x port-control force-authorized 
  exit
  2. Add the Portnox Cloud US RADIUS server as the primary for authentication and accounting.
    Important:
    The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
    radius-server
  host 20.119.69.248
  auth-port 10322
  acct-port 10323
  key 0 rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  source 172.28.13.4
  priority 0
  usage dot1.x
  exit
    Note:
    For the priority value, the lower the number, the higher the priority given to the RADIUS server.
  3. Add the Portnox Cloud EU RADIUS server as the secondary (if required). 
    radius-server
  host 52.232.122.157
  auth-port 10476
  acct-port 10477
  key 0 fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  source 172.28.13.4
  priority 1
  usage dot1.x
  exit
  4. Globally enable 802.1X and set the global system defaults on the switch or switch stack. 
    aaa authentication enable default radius
aaa authentication dot1x default radius
aaa accounting dot1x start-stop group radius
dot1x system-auth-control
  5. Confirm that the switch remains up and working, then save the configuration. 
    write mem
  6. Enable each interface for 802.1X by setting the mode to auto and add basic dot1x commands.

    Here are some example scenarios:

    • Single-host (PC or printer) / dynamic VLANs (RADIUS-assigned):

      interface gigabitethernet1/0/3
  dot1x host-mode multi-sessions
  dot1x mac-and-802.1x
  dot1x port-control auto
  dot1x radius-attributes vlan
  spanning-tree portfast
  switchport general allowed vlan add 30,130-157 tagged
  switchport access vlan none
  exit

    • Single-host (PC or printer) / switch-assigned VLANs:

      interface gigabitethernet1/0/4
  dot1x reauthentication
  dot1x mac-and-802.1x
  dot1x port-control auto
  spanning-tree portfast
  switchport mode general
  switchport general allowed vlan add 30 tagged
  switchport access vlan 30
  switchport general pvid 30
  exit

Dell N2048 PowerConnect

In this section, you will learn how to configure the Dell N2048 PowerConnect switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning:
This configuration was tested on Dell N2048 PowerConnect but it might not work on all related models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and firmware version.
Important:
All values in this configuration are examples. Make sure to adjust the configuration to your individual profile names, RADIUS server addresses, ports, and keys by replacing the values that are presented as underlined italics.
  1. Set all ports on the switch to force authorized.
    Important:
    This must be done first on Dell switches, otherwise it will lock out all ports automatically when 802.1X is enabled.
    interface gigabitethernet1/0/4
  authentication port-control force-authorized
  exit
  2. Configure the RADIUS servers. 
    radius-server auth 20.119.69.248
  auth-port 10322
  primary
  name "PORTNOX-US"
  source-ip 172.28.13.4
  usage authmgr
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
    radius-server auth 52.232.122.157
  auth-port 10476
  name "PORTNOX-EU"
  source-ip 172.28.13.4
  usage authmgr
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
    radius-server acct 20.119.69.248
  acct-port 10323
  name "PORTNOX-US"
  key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
  exit
    radius-server acct 52.232.122.157
  acct-port 10477
  name "PORTNOX-EU"
  key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
  exit
  3. Configure 802.1X. 
    aaa accounting dot1x default start-stop radius
authentication enable
authentication monitor
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server timeout 5
  4. Configure all ports hosting endpoint/user devices.
    Important:
    Do not apply this to uplinks or trunks.
    interface gigabitethernet1/0/4
  spanning-tree portfast
  switchport mode general
  authentication host-mode multi-domain
  authentication max-users 3
  mab
  authentication order dot1x mab
  authentication priority dot1x mab
  exit