Pwerconnect 5448, Windows Server 2008 R2

What does the configuration on the switch look like?

What firmware is the switch currently at?

One thing to look for is to see if dot1x legacy-supp-mode is enabled. If it is, then NAP won’t authenticate successfully.

I have not personally set this up before, but I can certainly help look through the configuration and see if we can spot some suggested changes.

Cheers.

Hello Daniel,

Thank for your questions

the switch is running with this firmware: 

SW version    2.0.0.46 ( date  14-Apr-2011 time  13:10:53 )

my radius configuration:

radius-server host 172.168.16.1 key Testing123 usage login

aaa authentication enable EN_RADIUS radius enable

aaa authentication login AUTH_RADIUS radius local

line ssh

login authentication AUTH_RADIUS

enable authentication EN_RADIUS

exit

my server configuration

I use this how to: http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html

log on the switch:

14-May-2013 21:58:50 :%AAA-W-REJECT: New ssh connection for user usertest, source 192.168.2.200 destination 192.168.5.234  REJECTED

logs on the NPS:

"MS-AD","IAS",05/14/2013,21:58:09,1,"usertest",,,,,,,"192.168.5.234",,0,"192.168.5.234","Powerconnect4448",,,,,,,,,0,"311 1 172.168.16.1 05/07/2013 12:09:50 23",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

"MS-AD","IAS",05/14/2013,21:58:09,3,,,,,,,,,,0,"192.168.5.234","Powerconnect4448",,,,,,,,,49,"311 1 172.168.16.1 05/07/2013 12:09:50 23",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

For the NAP, all it's OK, all computer on the domain are matched in the right rule. I can see it on the NPS logs file. And I watched radius transaction with wireshark.

Cheers

Thank you for the extra information. The firmware looks to be up to date, which is good. To help me understand the issue better, I would like to clarify a couple things. With this configuration in place, your clients are able to authenticate on the port and have connectivity? The issue comes up when trying to SSH to the server itself to manage it? Or do I have this wrong?

Thanks

Yes, when i would like to log with my AD account over SSH on the switch, the switch reject my request.

Without radius authentification, i can to log on the switch with SSH.

log on the switch:

15-May-2013 16:38:44 :%AAA-I-CONNECT: User CLI session for user admin over ssh , source 192.168.5.254 destination  192.168.5.234 ACCEPTED

Before using the Microsoft solution, I was set up the freeradius solution, which worked fine.

i have the intention to use wireshark, in the goal to watch, the radius transaction between the switch and the server.

thank

Thank you for the extra clarification. Next lets take a look at the output from the following show command.

Console# show authentication methods

On our 2008 server do we have the $enab15$  user created?

# show authentication methods

Login Authentication Method Lists

----------------------------------

Console_Default     : None

Network_Default     : Local

console             : Local

RADIUS_LOG          : Radius   Local    Enable

Enable  Authentication Method Lists

----------------------------------

Console_Default     : Enable   None

Network_Default     : Enable

console             : Enable

RADIUS_EN           : Radius   Enable

Line           Login Method List         Enable Method List

-------        -----------------         -------------------

Console        Default                   console

Telnet         Default                   Default

SSH            RADIUS_LOG                console

http                : Local

on my windows server, i have created the $enab15$ account.

With whireshark I have a radius request, when i would like to log on my switch.

I think that Microsoft radius technologies, is not compliant with my switch..