Ethernet 802.x1 configuration – Dell

In this topic, you will learn how to configure selected Dell switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Dell 3000 series

In this section, you will learn how to configure the Dell 3000 series switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning: This configuration was tested on Dell 3148 but it might not work on all Dell 3000 series models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and firmware version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces, limits, and VLANs by replacing the values that are presented as underlined italics.
  1. Set all ports on the switch to force authorized (this includes Ten Gigabit interfaces, if applicable).
    Important: This is a temporary step before you can turn on auto mode. If you do not set all the ports to force authorized before turning on dot1x authentication and setting up your RADIUS servers, all ports will be blocked. This includes your trunk and uplink ports, making the switch unreachable. To fix this, you would need to reboot the switch. This issue is specific to Dell switches.
    1. Set all standard Gigabit ports to force authorized using the range command.
      interface range gi 1/1-1/48
        dot1x port-control force-authorized 
        exit
    2. Repeat the previous step for each switch in the stack (if not a single switch).
      interface range gi 2/1-2/48
        dot1x port-control force-authorized 
        exit 
      interface range gi 3/1-3/48
        dot1x port-control force-authorized 
        exit
    3. Set all Ten Gigabit ports to force authorized (depends on the switch number in the stack).
      interface range Te 1/49-1/52
        dot1x port-control force-authorized
        exit 
      interface range Te 2/49-2/52
        dot1x port-control force-authorized 
        exit
      interface range Te 3/49-2/52
        dot1x port-control force-authorized 
        exit
  2. Globally enable 802.1X on the switch or switch stack.
    dot1x authentication
  3. Confirm that the switch remains up and working, then save the configuration.
    write mem
  4. Add global AAA commands that are not unique to the switch (Dell 3100 require very few AAA commands).
    aaa accounting dot1x default start-stop radius
  5. Add the Portnox Cloud US RADIUS server as the primary for authentication and accounting.
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
    radius-server
      host 20.119.69.248
      key 0 rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
      auth-port 10322
      acct-port 10323
      exit
  6. Add the Portnox Cloud EU RADIUS server as the secondary (if required).
    radius-server
      host 52.232.122.157
      key 0 fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
      auth-port 10476
      acct-port 10477
      exit
  7. Add the source interface of the switch that you are enabling. This interface must be able to reach the Portnox public RADIUS IP.
    ip radius source-interface Vlan 1
  8. Enable each interface for 802.1X by setting the mode to auto and add basic dot1x commands.
    no ip address
    portmode hybrid
    switchport
    service-policy input VOIP
    dot1x authentication
    dot1x port-control auto
    dot1x reauth-max 1
    dot1x tx-period 10
    dot1x host-mode multi-auth
    dot1x mac-auth-bypass
  9. You can enable multiple interfaces at once using the range command (the example below enables interfaces for ports 20 to 48).
    interface range gi 1/20-1/48
      dot1x authentication
      dot1x port-control auto
      dot1x reauth-max 1
      dot1x tx-period 10
      dot1x host-mode multi-auth
      dot1x mac-auth-bypass
      exit
  10. To allow printers to authorize quicker and to allow Wake-On-Lan for printing, a printer port can be optimized to use MAB only.
    interface range gi 1/29
      dot1x port-control auto
      dot1x host-mode single-host
      dot1x tx-period 10
      dot1x mac-auth-bypass
      dot1x auth-type mab-only
      exit
  11. Configure a critical VLAN
    Note: If, for any reason, your NAS device is temporarily unable to connect to Portnox Cloud RADIUS servers, the client device attempting 802.1X authentication is assigned to this VLAN. This lets your network administrators maintain client connectivity to certain resources without compromising security in circumstances such as an Internet connection failure.
    Note: This function may be unsupported on some switches. Consult Dell documentation for more information about its availability for your specific model and software version.
    interface range gi 1/20-1/48
      dot1x critical-vlan 10
  12. Confirm that 802.1X devices are authenticating via credentials, certificates, or MAC bypass in the Portnox Cloud alerts. Then, save the configuration.
    wr

Dell 5524 PowerConnect

In this section, you will learn how to configure the Dell 5524 PowerConnect switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning: This configuration was tested on Dell 5524 but it might not work on all related models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and firmware version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces, limits, and VLANs.
  1. Set all ports on the switch to force authorized (this includes Ten Gigabit interfaces, if applicable).
    Important: This is a temporary step before you can turn on auto mode. If you do not set all the ports to force authorized before turning on dot1x authentication and setting up your RADIUS servers, all ports will be blocked. This includes your trunk and uplink ports, making the switch unreachable. To fix this, you would need to reboot the switch. This issue is specific to Dell switches.
    1. Set all standard Gigabit ports to force authorized using the range command.
      interface range gi 1/1-1/48
        dot1x port-control force-authorized 
        exit
    2. Repeat the previous step for each switch in the stack (if not a single switch).
      interface range gi 2/1-2/48
        dot1x port-control force-authorized 
        exit 
      interface range gi 3/1-3/48
        dot1x port-control force-authorized 
        exit
    3. Set all Ten Gigabit ports to force authorized (depends on the switch number in the stack).
      interface range Te 1/49-1/52
        dot1x port-control force-authorized
        exit 
      interface range Te 2/49-2/52
        dot1x port-control force-authorized 
        exit
      interface range Te 3/49-2/52
        dot1x port-control force-authorized 
        exit
  2. Add the Portnox Cloud US RADIUS server as the primary for authentication and accounting.
    Important: The IP addresses, port numbers, and keys below are examples. Replace them with your individual IP addresses, port numbers, and keys from your Portnox Cloud configuration.
    radius-server
      host 20.119.69.248
      auth-port 10322
      acct-port 10323
      key 0 rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
      source 172.28.13.4
      priority 0
      usage dot1.x
      exit
    Note: For the priority value, the lower the number, the higher the priority given to the RADIUS server.
  3. Add the Portnox Cloud EU RADIUS server as the secondary (if required).
    radius-server
      host 52.232.122.157
      auth-port 10476
      acct-port 10477
      key 0 fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
      source 172.28.13.4
      priority 1
      usage dot1.x
      exit
  4. Globally enable 802.1X and set the global system defaults on the switch or switch stack.
    aaa authentication enable default radius
    aaa authentication dot1x default radius
    aaa accounting dot1x start-stop group radius
    dot1x system-auth-control
  5. Confirm that the switch remains up and working, then save the configuration.
    write mem
  6. Enable each interface for 802.1X by setting the mode to auto and add basic dot1x commands.

    Here are some example scenarios:

    • Single-host (PC or printer) / dynamic VLANs (RADIUS-assigned):

      interface gigabitethernet1/0/3
        dot1x host-mode multi-sessions
        dot1x mac-and-802.1x
        dot1x port-control auto
        dot1x radius-attributes vlan
        spanning-tree portfast
        switchport general allowed vlan add 30,130-157 tagged
        switchport access vlan none
        exit
    • Single-host (PC or printer) / switch-assigned VLANs:

      interface gigabitethernet1/0/4
        dot1x reauthentication
        dot1x mac-and-802.1x
        dot1x port-control auto
        spanning-tree portfast
        switchport mode general
        switchport general allowed vlan add 30 tagged
        switchport access vlan 30
        switchport general pvid 30
        exit

Dell N2048 PowerConnect

In this section, you will learn how to configure the Dell N2048 PowerConnect switches to work together with Portnox™ Cloud and 802.1X RADIUS authentication for Ethernet connections.

Warning: This configuration was tested on Dell N2048 PowerConnect but it might not work on all related models and firmware versions. To get the most accurate and current configuration guidance on switch 802.1X configuration, we strongly recommend that you refer to the documentation provided by Dell on these topics for your particular device model and firmware version.
Important: All values in this configuration are examples. Make sure to adjust the configuration to your individual RADIUS server addresses, ports, and keys, as well as device interfaces, limits, and VLANs.
  1. Set all ports on the switch to force authorized.
    Important: This must be done first on Dell switches, otherwise it will lock out all ports automatically when 802.1X is enabled.
    interface gigabitethernet1/0/4
      authentication port-control force-authorized
      exit
  2. Configure the RADIUS servers.
    radius-server auth 20.119.69.248
      auth-port 10322
      primary
      name "PORTNOX-US"
      source-ip 172.28.13.4
      usage authmgr
      key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
      exit
    radius-server auth 52.232.122.157
      auth-port 10476
      name "PORTNOX-EU"
      source-ip 172.28.13.4
      usage authmgr
      key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
      exit
    radius-server acct 20.119.69.248
      acct-port 10323
      name "PORTNOX-US"
      key rTHO9HEo9BcqfC9Yg0hHFelK6o0tH8N1
      exit
    radius-server acct 52.232.122.157
      acct-port 10477
      name "PORTNOX-EU"
      key fnSrSEHhXFZ5Rqpz756NJhkeVqIHTlPt
      exit
  3. Configure 802.1X.
    aaa accounting dot1x default start-stop radius
    authentication enable
    authentication monitor
    dot1x system-auth-control
    aaa authentication dot1x default radius
    aaa authorization network default radius
    radius server timeout 5
  4. Configure all ports hosting endpoint/user devices.
    Important: Do not apply this to uplinks or trunks.
    interface gigabitethernet1/0/4
      spanning-tree portfast
      switchport mode general
      authentication host-mode multi-domain
      authentication max-users 3
      mab
      authentication order dot1x mab
      authentication priority dot1x mab
      exit