Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

russellmohio

1 Message

31874

June 12th, 2012 20:00

PowerConnect 5548 switches not attempting RADIUS authentication

Recently setup two PowerConnect 5548.

The goal is to use Windows Server 2008 R2's Network Policy Server along with certificates and a domain group to restrict access to the network ports to domain members (those with certificates) in the group.  So far, absolutely no RADIUS-related traffic is generated from the PowerConnect switches to the Network Policy Server.  The swtich's IP address (192.168.56.71) has been added a RADIUS client with a generated key.

Set IP to 192.168.56.71

Added RADIUS server 192.168.56.84, set default Source IP to 192.168.56.71 and added the matching key.

Enabled Port Based Authentication with RADIUS as Authentication Method

Set a single port (gi2/0/25) Port Based Authentication to be Authorized, which works perfectly fine since it is forcing the port to be Authorized.

If I change the port's Port Based Authentication setting to Auto, it immediately changes to be Unauthorized, and I can see from a packet capture on the Network Policy Server that no traffic is ever received from the switch.

The switch can ping the NPS server just fine.

I've seen conflicting posts about whether certificates are supported by PowerConnect switches, but no attempt is made by the switches to connect to the Network Policy Server, so there must be some other settings that I missed.

 

 

DELL-Willy M

802 Posts

June 13th, 2012 11:00

55xx-Stack-LabNet(config)# aaa authentication

  dot1x                Define authentication method lists for port usage.

  enable               Define authentication method lists for accessing

                       higher privilege levels.

  login                Define authentication method lists for accessing lower

                       privilege levels.

 

Is this how you are defining the port?

 

55xx-Stack-LabNet(config)# aaa authentication dot1x default radius

 

Here is a helpful document related to RADIUS configuration.

 

http://www.dell.com/downloads/global/products/pwcnt/en/3424_radius_auth_using_msserver.pdf

 

Hope this helps,

 

Keep us updated if you can.

puckstopper

4 Posts

July 25th, 2012 14:00

russellmohio,

I was able to get the 5548's working with PEAP and self signed certs (using the IIS tools) pushed out to clients in a GPO and selecting the IAS servers in the network card properties under the Trusted Root Certificate Authorities with validate server cert checked off and computer auth mode only and  ISA rules based on domain computer accounts. If you're installing the IAS certs manually on a client there is a trick getting them to install properly on the clients  as importing the certificates puts them in the user cert store by default

My experience (and it was painful) was that if the switch is not contacting the radius server than the clients them selves are rejecting the cert setup

Was this post helpful?

View All

0 events found

No Events found!

Top