This post is more than 5 years old
2 Posts
0
23795
PC5324, 2013, AAA, FreeRadius: Broken
I'm trying to set up my Dell Powerconnect switches to use RADIUS authentication for admins. The setup is a PC5324 with os 2.0.1.3 (I've also tested 2.0.0.39 with same results). Freeradius is working properly for all of my Cisco ASAs, switches and routers. I've followed the User guide (can recite the capter nearly verbatim), this forum http://en.community.dell.com/support-forums/servers/f/866/p/17772599/17895585.aspx?PageIndex=1, this link from that thread http://www.dell.com/downloads/global/products/pwcnt/en/3424_radius_auth_using_msserver.pdf, and this third party page http://www.darylhunter.me/churchit/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html. Everything produces the same, weird, result. for a valid user, Freeradius sends an ACCEPT packet but the switch rejects the authentication. What's weird is that in the log entry on the switch, it says it rejected "user MYPASSWORD", not "user MYUSER". For invalid users, freeradius sends a REJECT packet and the switch correctly says it rejected "user BADUSER". That's right, for bad authentication attempts the switch correctly lists the user that was rejected. However for valid authentications (as confirmed by a radius debug AND by packet capture on the wire) the switch is still rejecting the authentication but instead of listing the username it lists the user's password as the user name. That part at least has to be a bug and I think it probably offers a clue to what is happening.
Oh yea, this is the same for HTTP authentication too. Here's two logs, the first was REJECTed by radius, the second was ACCEPTed.
09-Oct-2000 11:05:07 :%AAA-W-REJECT: New telnet connection for user BADUSER, source 10.5.1.159 destination 192.168.0.9 REJECTED
09-Oct-2000 11:02:51 :%AAA-W-REJECT: New telnet connection for user GOODPASS, source 10.5.1.159 destination 192.168.0.9 REJECTED
Here's the freeradius user config:
GOODUSER Cleartext-Password := "GOODPASS"
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
Here's the switch config:
radius-server host 10.10.1.22 auth-port 1812
radius-server key MYSHAREDKEY
logging console errors
ip http authentication radius local
aaa authentication login default radius local
enable password level 15 6770b0d77f249ae1fde7ddf1b631691b encrypted
username username password 11be74726b6ed3efbedc743346e9355f level 15 encrypted
kirbini
2 Posts
1
September 20th, 2010 10:00
Found the problem. In firmware 2.0.x.x somewhere Dell changed what the switch expects for the Service-Type returned by RADIUS. For Powerconnect 1.0.x.x (and all Cisco IOS devices) you need this:
Service-Type = NAS-Prompt-User
However, for Powerconnect 2.0.x.x it needs to read:
Service-Type = Administrative-User
Don't know how to make this work with one user setting in freeredius though, sorry.
Dell, it would be nice to see this change reflected in a document somewhere. I've read lots of them in the last 3 days but did not come across this gem anywhere.