tquinna
2 Bronze

PowerConnect 5324 + 802.1x port security

I have a Dell PowerConnect 5324 with the newest firmware and boot code.
 
I am trying to get 802.1x port authentication working with a Microsoft IAS server running on Windows Server 2003.  802.1x port authentication functions normally on the 5324 if a user performs the authentication after Windows XP is already logged into.  We are using PEAP (MSCHAPv2)
 
What we want working is machine authentication where the system authenticates to the switch and is provided network access before a user logs in.  Microsoft Windows XP is capable of this type of 802.1x authentication by providing the computer name/password to IAS.  It appears that the switch is getting confused by machine authentication where the username is of the form host/machine.domain.com.
 
I have a packet sniffer setup and when machine authentication is attempted, no traffic is sent to the IAS server at all.  When user authentication is used, everything work fine as stated above.
 
Does anyone know if the 5324 supports machine based 802.1x auth?
0 Kudos
22 Replies
DELL-Adam N
3 Argentum

Re: PowerConnect 5324 + 802.1x port security

Hi


I am looking into this for you, I will get back to you. Just to confirm, if a user is already logged into XP, PEAP-MSCHAP-V2 802.1X authenticates the user sucessfully but you want the machine to be authenicated via PEAP before the user is prompted to login to the domain?

Thanks
0 Kudos
tquinna
2 Bronze

Re: PowerConnect 5324 + 802.1x port security

Thank you very much for looking into this for me!  What you said is 100% correct.  802.1x works if the user is already logged into XP.

I know for a fact that the exact same setup works on other switches (For example, Cisco).  We have the XP systems setup properly to send the machine auth, but it looks like it never gets past the switch.

0 Kudos
DELL-Adam N
3 Argentum

Re: PowerConnect 5324 + 802.1x port security

Hi

I have found out why this is failing. PowerConnect switches currently only support 802.1X EAP-MD5 authentication, and because machine authentication requires a certificate its not going to work. We are planning to add PEAP support to the PC5324 switch in a firmware release which is due around the June time frame.

Sorry I cannot be of any further help.

Regards
0 Kudos
tquinna
2 Bronze

Re: PowerConnect 5324 + 802.1x port security

Thanks again for looking into this.
 
One other thing I should mention:  Machine authentication does work with certificates, but it is also possible to have machine authentication work with the machine's username/password, identical to the way user's authenticate.  This is the way we have it setup (using the machine's username/password and NOT certificates).  As I said before, this is functional on other switches (Cisco) so we know it works properly.  It it at all possible the PowerConnect is confused by the format of the username provided by the computer (host/computer.domain.com)?  Would it be possible for you to check on this for me? 
 
Thank you.
0 Kudos
DELL-Adam N
3 Argentum

Re: PowerConnect 5324 + 802.1x port security

Hi, The problem is that PowerConnect does not support PEAP at all, even if your using PEAP MSCHAPv2 it will not work. The only method of 802.1X authentication currently supported is EAP-MD5.

Sorry..


Rgds
0 Kudos
tquinna
2 Bronze

Re: PowerConnect 5324 + 802.1x port security

Ok, I hate to contradict you but we have the PowerConnect working with PEAP (MSCHAPv2).  When a user is logged into the system, it is possible for them to authenticate to the switch fine with their username/password NOT using MD5.  The computers are configured for PEAD (MSCHAPv2) as well as our backend RADIUS server, which is Microsoft IAS.  This works fine. 
0 Kudos
DELL-Adam N
3 Argentum

Re: PowerConnect 5324 + 802.1x port security

Ok...interesting. I am trying to get PEAP MSCHAPv2 working on my test setup but its failing, and thats without machine authentication. If I test using EAP-MD5 it works straight away. Can you PM me some details on your IAS setup, primarily what settings do you have configured on your remote access policys and your connection request policys.

Also, I am assuming that once a user authenticates you are able to see the username listed if you execute "show dot1x users" on the switch?


Thanks
0 Kudos
tquinna
2 Bronze

Re: PowerConnect 5324 + 802.1x port security

On the remote access policies for IAS:
 
Policy Name: test
Policy Conditions: NAS-Port-Type matches "Ethernet"
Profile -> Authentication Tab -> no boxes checked -> EAP Button -> PEAP Selected -> Edit button -> Secure Password (EAP-MSCHAP v2) and the certificate issued is selected with the certificate of the IAS server
 
note: Only a certificate for the IAS server itself is required.
 
 
On the client:
For the NIC in question, PEAP is selected as the EAP type -> Properties button -> Secure password (EAP-MSCHAP v2) is selected as the Select Authentication Method
 
 
Thanks,
Tom
 
 
0 Kudos
tquinna
2 Bronze

Re: PowerConnect 5324 + 802.1x port security

I forgot to answer your other question:
 
Yes, within the switch administrator, I do see the username of the person who authenticates.
 
Incidentally, when authenticating in this way I have to enter the user as:
 
username: domain\username
password: password
domain:
0 Kudos