Ethernet 802.x1 configuration – Dell
In this topic, you will learn how to configure selected Dell switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for wired Ethernet connections.
Dell 3000 series
In this section, you will learn how to configure the Dell 3000 series switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
-
Set all ports on the switch to force authorized (this includes Ten Gigabit interfaces, if
applicable).
Important: This is a temporary step before you can turn on auto mode. If you do not set all the ports to force authorized before turning on dot1x authentication and setting up your RADIUS servers, all ports will be blocked. This includes your trunk and uplink ports, making the switch unreachable. To fix this, you would need to reboot the switch. This issue is specific to Dell switches.
-
Globally enable 802.1X on the switch or switch stack.
dot1x authentication
-
Confirm that the switch remains up and working, then save the configuration.
write mem
-
Add global AAA commands that are not unique to the switch (Dell 3100 require very few AAA commands).
aaa accounting dot1x default start-stop radius
-
Add the Portnox Cloud US RADIUS server as the primary for authentication and accounting.
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
radius-server host 20.119.69.248 key 0 rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 auth-port 10322 acct-port 10323 exit
-
Add the Portnox Cloud EU RADIUS server as the secondary (if required).
radius-server host 52.232.122.157 key 0 fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt auth-port 10476 acct-port 10477 exit
-
Add the source interface of the switch that you are enabling. This interface must be able to reach the Portnox
public RADIUS IP.
ip radius source-interface Vlan 1
-
Enable each interface for 802.1X by setting the mode to auto and add basic
dot1x commands.
no ip address portmode hybrid switchport service-policy input VOIP dot1x authentication dot1x port-control auto dot1x reauth-max 1 dot1x tx-period 10 dot1x host-mode multi-auth dot1x mac-auth-bypass
-
You can enable multiple interfaces at once using the range command (the example below enables interfaces for ports
20 to 48).
interface range gi 1/20-1/48 dot1x authentication dot1x port-control auto dot1x reauth-max 1 dot1x tx-period 10 dot1x host-mode multi-auth dot1x mac-auth-bypass exit
-
To allow printers to authorize quicker and to allow Wake-On-Lan for printing, a printer port can be optimized to
use MAB only.
interface range gi 1/29 dot1x port-control auto dot1x host-mode single-host dot1x tx-period 10 dot1x mac-auth-bypass dot1x auth-type mab-only exit
-
Configure a critical VLAN
Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.Note: This function may be unsupported on some switches. Consult Dell documentation for more information about its availability for your specific model and software version.
interface range gi 1/20-1/48 dot1x critical-vlan 10
-
Confirm that 802.1X devices are authenticating via credentials, certificates, or MAC bypass in the Portnox Cloud
alerts. Then, save the configuration.
wr
Dell 5524 PowerConnect
In this section, you will learn how to configure the Dell 5524 PowerConnect switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
-
Set all ports on the switch to force authorized (this includes Ten Gigabit interfaces, if
applicable).
Important: This is a temporary step before you can turn on auto mode. If you do not set all the ports to force authorized before turning on dot1x authentication and setting up your RADIUS servers, all ports will be blocked. This includes your trunk and uplink ports, making the switch unreachable. To fix this, you would need to reboot the switch. This issue is specific to Dell switches.
-
Add the Portnox Cloud US RADIUS server as the primary for authentication and accounting.
Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
radius-server host 20.119.69.248 auth-port 10322 acct-port 10323 key 0 rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 source 172.28.13.4 priority 0 usage dot1.x exit
Note: For the priority value, the lower the number, the higher the priority given to the RADIUS server. -
Add the Portnox Cloud EU RADIUS server as the secondary (if required).
radius-server host 52.232.122.157 auth-port 10476 acct-port 10477 key 0 fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt source 172.28.13.4 priority 1 usage dot1.x exit
-
Globally enable 802.1X and set the global system defaults on the switch or switch stack.
aaa authentication enable default radius aaa authentication dot1x default radius aaa accounting dot1x start-stop group radius dot1x system-auth-control
-
Confirm that the switch remains up and working, then save the configuration.
write mem
-
Enable each interface for 802.1X by setting the mode to auto and add basic
dot1x commands.
Here are some example scenarios:
-
Single-host (PC or printer) / dynamic VLANs (RADIUS-assigned):
interface gigabitethernet1/0/3 dot1x host-mode multi-sessions dot1x mac-and-802.1x dot1x port-control auto dot1x radius-attributes vlan spanning-tree portfast switchport general allowed vlan add 30,130-157 tagged switchport access vlan none exit
-
Single-host (PC or printer) / switch-assigned VLANs:
interface gigabitethernet1/0/4 dot1x reauthentication dot1x mac-and-802.1x dot1x port-control auto spanning-tree portfast switchport mode general switchport general allowed vlan add 30 tagged switchport access vlan 30 switchport general pvid 30 exit
-
Dell N2048 PowerConnect
In this section, you will learn how to configure the Dell N2048 PowerConnect switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.
-
Set all ports on the switch to force authorized.
Important: This must be done first on Dell switches, otherwise it will lock out all ports automatically when 802.1X is enabled.
interface gigabitethernet1/0/4 authentication port-control force-authorized exit
-
Configure the RADIUS servers.
radius-server auth 20.119.69.248 auth-port 10322 primary name "PORTNOX-US" source-ip 172.28.13.4 usage authmgr key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 exit
radius-server auth 52.232.122.157 auth-port 10476 name "PORTNOX-EU" source-ip 172.28.13.4 usage authmgr key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt exit
radius-server acct 20.119.69.248 acct-port 10323 name "PORTNOX-US" key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1 exit
radius-server acct 52.232.122.157 acct-port 10477 name "PORTNOX-EU" key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt exit
-
Configure 802.1X.
aaa accounting dot1x default start-stop radius authentication enable authentication monitor dot1x system-auth-control aaa authentication dot1x default radius aaa authorization network default radius radius server timeout 5
-
Configure all ports hosting endpoint/user devices.
Important: Do not apply this to uplinks or trunks.
interface gigabitethernet1/0/4 spanning-tree portfast switchport mode general authentication host-mode multi-domain authentication max-users 3 mab authentication order dot1x mab authentication priority dot1x mab exit