topic Re: Dot1x with DELL IDRAC in Network Access Control

Dot1x with DELL IDRAC

JackFlannery9379 — Mon, 25 Jan 2021 18:40:33 GMT

I am having issues configuring dot1x/mab protocols for my DELL iDRACs. I was hoping to find some support for doing this. I currently have the idracs failing authentication in the RADIUS live logs, meaning that my policy set could be set incorrectly. I have my idrac's setup in an Endpoint Identity Group but I still cannot get the MAB protocol to take over.

Does anyone have experience doing this with the Dell iDRACs?

Re: Dot1x with DELL IDRAC

ahollifield — Mon, 25 Jan 2021 23:14:03 GMT

This should just a standard MAB transaction just like any other endpoint. Does your switch and switchport config work for other MAB endpoints? What is the NAD?

Re: Dot1x with DELL IDRAC

MHM Cisco World — Mon, 25 Jan 2021 23:26:55 GMT

can we see your SW config ?

Re: Dot1x with DELL IDRAC

Mohammed al Baqari — Tue, 26 Jan 2021 07:06:20 GMT

Hi,

In general, NAC is used in the access layer, i.e. end users. It's not used
usually in servers unless there are special uses.

IDRAC don't have dot1x supplicant. It should be using MAB. If the IDRAC is
having a static IP and not DHCP, the DACL won't be applied cuz device
tracking can't get the IP address using DHCP. It will try to get it using
ARP which will take time until ARP update is requested which can take 4
hours.

***** please remember to rate useful posts

Re: Dot1x with DELL IDRAC

Panos Bouras — Tue, 26 Jan 2021 16:08:27 GMT

Hi @Mohammed al Baqari

I get your point, but device tracking should send an ARP probe in order to get an IP to MAC tracking. For sure device tracking has various configurations under different switch platforms.

@JackFlannery9379can you please share the output of the interface configuration from the switch port where iDRAC is connected?

Also as you said your iDRAC devices are failing authentication meaning that the get an access denied response? If that's true then you must review your policies and make sure that you used the proper Identity group options under your MAB authorization policy.

Regardless of static IP or not, 802.1x/MAB request should get an access accept message if your policy is configured correctly.

Re: Dot1x with DELL IDRAC

thomas — Tue, 26 Jan 2021 23:05:28 GMT

You have not provided information about any specifics about ISE error messages, your authorization rules, what network device, network device configuration so it is hard to provide suggestions.

Please see ISE Secure Wired Access Prescriptive Deployment Guide for best practice wired configuration examples.

Also see How to Ask The Community for Help.

Re: Dot1x with DELL IDRAC

Mohammed al Baqari — Wed, 27 Jan 2021 06:19:20 GMT

+5 @Panos Bouras

What you mentioned is correct in theory but not always in practice. When
the ARP packets are sent to devices with static IPs (like ILO or iDRAC),
the source IP will be 0.0.0.0. Even though the source is not relevant,
these devices won't respond back. This is a known issue.

https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2018/pdf/BRKDGT-2601.pdf

There are workarounds in the above link but they don't necessarily work on
all switches. Hence was my response. The devices with DHCP enabled are good
because the source of tracking will be DHCP. For static IPs will be an
issue. It might be a different problem so let's see the config. But when
static IP was mentioned, it popped in my head at first glance.

***** please remember to rate useful posts