search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.3k stars 276 forks source link

DELL Networking documentation improvement #3479

Open BiasF opened 6 years ago

BiasF commented 6 years ago

The commands for Dell Networking in the PF Documentation are outdated. And for voice device integration I had to make a change in the DELL N1500 class.

The following settings are working for me:

On each port:

switchport mode general
switchport general allowed vlan add 17,100,150,200,205,930-931,999
dot1x port-control mac-based
dot1x reauthentication
dot1x timeout guest-vlan-period 10
dot1x unauth-vlan 931
mab
default mab pap
authentication order dot1x mab
switchport voice vlan 205

It's important to add the default mab pap to the config, otherwise the switch will use EAP-MD5 for MAB.

After that, I was wondering why my cisco IP Phones wil be authenticated but not placed in the voice-vlan. The method for adding the VSA for voice devices returns nothing, so I added the value from a Cisco Device, Dell use the same syntax. Now it's working 👍 

sub getVoipVsa {
    my ($self) = @_;
    return ('Cisco-AVPair' => "device-traffic-class=voice");
}

This Config should work for these DELL Switch models:

OS Version 6.5.2.x—N1500/N2000/ N2100-ON/N3000/N3000-ON/ N3100-ON/N4000 Series Switches

OS Version 6.4.x.x—N1100-ON Series Switches

BiasF commented 5 years ago

Note: N1100-ON Series actually doesn't support MAB with EAP-PAP so you have to enable MD5 in PacketFence

nqb commented 5 years ago

Thanks for this detailed report, we will update docs.