9.2.3.7. Dell

9.2.3.7.1. N1500

Firmware: 6.8.0.1

Administration Portal > ON CMDB > Network Devices Brand/Model: Dell/Generic - Dell/N1500

9.2.3.7.1.1. Radius Global Configuration

Define the RADIUS servers to be used for authentications and their format:

console# configure terminal
console(config)# aaa new-model
console(config)# radius server auth <RADIUS_IP>
console(config-auth-radius)# name opennac-auth
console(config-auth-radius)# key <RADIUS_SharedKey>
console(config-auth-radius)# automate-tester username monitor idle-time 1
console(config-auth-radius)# deadtime 1
console(config-auth-radius)# usage 802.1x
console(config-auth-radius)# exit
console(config)# radius server acct <RADIUS_IP>
console(config-acct-radius)# name opennac-acct
console(config-acct-radius)# key <RADIUS_SharedKey>
console(config-acct-radius)# exit

8021X Global

console(config)# authentication enable
console(config)# ip device tracking
console(config)# authentication dynamic-vlan enable
console(config)# radius server vsa send authentication
console(config)# aaa authentication dot1x default radius
console(config)# dot1x system-auth-control
console(config)# switchport voice vlan

9.2.3.7.1.2. Dot1X Interface Configuration

console(config)# interface gi1/0/4
console(config)# switchport mode general
console(config-if-Gi1/0/4)# authentication host-mode multi-auth
console(config-if-Gi1/0/4)# authentication order dot1x mab
console(config-if-Gi1/0/4)# authentication periodic
console(config-if-Gi1/0/4)# authentication control-direction in
console(config-if-Gi1/0/4)# dot1x timeout supp-timeout 2
console(config-if-Gi1/0/4)# dot1x timeout tx-period 3
console(config-if-Gi1/0/4)# voice vlan <Voice_VLAN_ID>
console(config-if-Gi1/0/4)# authentication event server dead action authorize voice
console(config-if-Gi1/0/4)# authentication event server dead action authorize vlan <Critical_VLAN_ID>
console(config-if-Gi1/0/4)# exit

9.2.3.7.1.3. Dot1x Features

Default VLAN

The default VLAN will be the one that will be assigned in case of defining the default VLAN in the openNAC policy.

(config)# switchport general pvid <Default_VLAN_ID>

Critical VLAN

The critical VLAN will be the one in which the connections will be established in case the RADIUS servers are not available for authorization. Once we have configured an authentication method, we will be able to configure the critical VLAN. unauth-vid: Configures the VLAN to which a port should be assigned while an unauthenticated client is connected. This parameter is not configured by default.

In addition, we can set a timeout for switch authentication before moving the port to the VLAN for unauthenticated clients with the unauth-period parameter.

console(config-if-Gi1/0/4)# authentication event server dead action authorize voice
console(config-if-Gi1/0/4)# authentication event server dead action authorize vlan 11

Voice VLAN

The voice VLAN will be used to separate the voice traffic from the data traffic.

console(config-if-Gi1/0/4)# voice vlan 202

Reject VLAN

The Reject VLAN will be the one that will be assigned in case of recieving an Access-Reject from Radius Server.

console(config-if-Gi1/0/4)# authentication event fail action authorize vlan <VLAN_ID>

Reauthentication

To configure periodic authentication we must configure the following:

console(config-if-Gi1/0/4)# authentication periodic

If we want to configure a static authentication time (in seconds):

console(config-if-Gi1/0/4)# authentication timer reauthenticate <300-4294967295>

If we want to send the time through radius (Session-Timeout) attributes we must configure the following:

console(config-if-Gi1/0/4)# authentication timer reauthenticate server

9.2.3.7.1.4. SNMP - Toogle Port

We will configure the SNMP feature to enable the communication between the OpenNAC Core and the network device to toggle port:

SNMP v2c:

console(config)# snmp-server community <Read/Write Community> rw
console(config)# snmp-server community <Read Community> ro

SNMP v3 (recommended):

console(config)# snmp-server view <view_Name> ifAdminStatus included
console(config)# snmp-server group <group_Name> v3 priv read <view_Name> write <view_Name>
console(config)# snmp-server user <user_Name> <group_Name> auth-sha <password_Auth> priv-aes <password_Priv>

9.2.3.7.1.5. CoA - Toogle Port

Enable CoA for RADIUS:

console(config)# aaa server radius dynamic-author

Configure COA to accept the remote RADIUS server requests for specific IP (Radius Server IP) with “shared secret” as the key:

console(config-radius-da)# client <Client_IP> server-key "shared secret"
console(config-radius-da)# auth-type any
console(config-radius-da)# exit

Note

Remember that if you have several Radius servers (principal/workers) you must register all of them since podos can generate COA requests.

9.2.3.7.1.6. Security Profiles (ACL’s)

Static

Example ACL Switch definition:

ip access-list testACL
1000 deny icmp any 8.8.8.8 255.255.255.255
exit

OpenNAC Security profile must include “.in” extension to ACL name:

testACL.in

Dynamic

Assigns a RADIUS-configured ACL to filter inbound packets received from a specific client authenticated on a switch port.

Example OpenNAC Dynamic Security Profile for Dell:

ip:inacl#100=permit ip any 209.165.0.0 0.0.255.255

9.2.3.7.1.7. SNMP Traps

In order to configure the sending of SNMP traps to the OpenNAC servers, we must perform the following configuration on the switch:

SNMP v3 Configuration (recommended):

console(config)# snmp-server view <view_Name> ifAdminStatus included
console(config)# snmp-server group <group_Name> v3 priv read <view_Name> write <view_Name>
console(config)# snmp-server user <user_Name> <group_Name> auth-sha <password_Auth> priv-aes <password_Priv>
console(config)# snmp-server v3-host <Trap_reciever> <user_Name> traps priv

Global Configuration

console(config)#mac address-table notification change
console(config)#smnp-server enable traps mac-notification

Interface Configuration

console(config)#interface gi1/0/3
console(config-if-Gi1/0/3)#snmp trap mac-notification change added
console(config-if-Gi1/0/3)#snmp trap mac-notification change removed

Note

MAC Change SNMP Traps only work if the authentication is disbled on the port.

9.2.3.7.1.8. Troubleshooting & Monitoring

• RADIUS Debug:

debug authentication all <interface>
debug aaa coa
debug dot1x packet
debug console

• Display connected users:

show authentication clients all
show authentication clients <Interface>

• SNMP Traps:

show mac address-table notification
show mac address-table notification change