Re: Dot1x with DELL IDRAC

JackFlannery9379 · ‎01-25-2021

I am having issues configuring dot1x/mab protocols for my DELL iDRACs. I was hoping to find some support for doing this. I currently have the idracs failing authentication in the RADIUS live logs, meaning that my policy set could be set incorrectly. I have my idrac's setup in an Endpoint Identity Group but I still cannot get the MAB protocol to take over.

Does anyone have experience doing this with the Dell iDRACs?

ahollifield · ‎01-25-2021

This should just a standard MAB transaction just like any other endpoint. Does your switch and switchport config work for other MAB endpoints? What is the NAD?

MHM Cisco World · ‎01-25-2021

can we see your SW config ?

Mohammed al Baqari · ‎01-25-2021

Hi,

In general, NAC is used in the access layer, i.e. end users. It's not used
usually in servers unless there are special uses.

IDRAC don't have dot1x supplicant. It should be using MAB. If the IDRAC is
having a static IP and not DHCP, the DACL won't be applied cuz device
tracking can't get the IP address using DHCP. It will try to get it using
ARP which will take time until ARP update is requested which can take 4
hours.

***** please remember to rate useful posts

Panos Bouras · ‎01-26-2021

Hi @Mohammed al Baqari

I get your point, but device tracking should send an ARP probe in order to get an IP to MAC tracking. For sure device tracking has various configurations under different switch platforms.

@JackFlannery9379can you please share the output of the interface configuration from the switch port where iDRAC is connected?

Also as you said your iDRAC devices are failing authentication meaning that the get an access denied response? If that's true then you must review your policies and make sure that you used the proper Identity group options under your MAB authorization policy.

Regardless of static IP or not, 802.1x/MAB request should get an access accept message if your policy is configured correctly.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Mohammed al Baqari · ‎01-26-2021

+5 @Panos Bouras

What you mentioned is correct in theory but not always in practice. When
the ARP packets are sent to devices with static IPs (like ILO or iDRAC),
the source IP will be 0.0.0.0. Even though the source is not relevant,
these devices won't respond back. This is a known issue.

https://www.cisco.com/c/en/us/support/docs/ip/address-resolution-protocol-arp/118630-technote-ipdt-00.html
https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2018/pdf/BRKDGT-2601.pdf

There are workarounds in the above link but they don't necessarily work on
all switches. Hence was my response. The devices with DHCP enabled are good
because the source of tracking will be DHCP. For static IPs will be an
issue. It might be a different problem so let's see the config. But when
static IP was mentioned, it popped in my head at first glance.

***** please remember to rate useful posts

thomas · ‎01-26-2021

You have not provided information about any specifics about ISE error messages, your authorization rules, what network device, network device configuration so it is hard to provide suggestions.

Please see ISE Secure Wired Access Prescriptive Deployment Guide for best practice wired configuration examples.

Also see How to Ask The Community for Help.