Unsolved
This post is more than 5 years old
13 Posts
0
52925
PowerConnect 5324 + 802.1x port security
I have a Dell PowerConnect 5324 with the newest firmware and boot code.
I am trying to get 802.1x port authentication working with a Microsoft IAS server running on Windows Server 2003. 802.1x port authentication functions normally on the 5324 if a user performs the authentication after Windows XP is already logged into. We are using PEAP (MSCHAPv2)
What we want working is machine authentication where the system authenticates to the switch and is provided network access before a user logs in. Microsoft Windows XP is capable of this type of 802.1x authentication by providing the computer name/password to IAS. It appears that the switch is getting confused by machine authentication where the username is of the form host/machine.domain.com.
I have a packet sniffer setup and when machine authentication is attempted, no traffic is sent to the IAS server at all. When user authentication is used, everything work fine as stated above.
Does anyone know if the 5324 supports machine based 802.1x auth?
tquinna
13 Posts
0
May 8th, 2006 14:00
Thank you very much for looking into this for me! What you said is 100% correct. 802.1x works if the user is already logged into XP.
I know for a fact that the exact same setup works on other switches (For example, Cisco). We have the XP systems setup properly to send the machine auth, but it looks like it never gets past the switch.
DELL-Adam N
128 Posts
0
May 8th, 2006 14:00
I am looking into this for you, I will get back to you. Just to confirm, if a user is already logged into XP, PEAP-MSCHAP-V2 802.1X authenticates the user sucessfully but you want the machine to be authenicated via PEAP before the user is prompted to login to the domain?
Thanks
DELL-Adam N
128 Posts
0
May 9th, 2006 07:00
I have found out why this is failing. PowerConnect switches currently only support 802.1X EAP-MD5 authentication, and because machine authentication requires a certificate its not going to work. We are planning to add PEAP support to the PC5324 switch in a firmware release which is due around the June time frame.
Sorry I cannot be of any further help.
Regards
DELL-Adam N
128 Posts
0
May 9th, 2006 11:00
Sorry..
Rgds
tquinna
13 Posts
0
May 9th, 2006 11:00
tquinna
13 Posts
0
May 9th, 2006 12:00
DELL-Adam N
128 Posts
0
May 9th, 2006 12:00
Also, I am assuming that once a user authenticates you are able to see the username listed if you execute "show dot1x users" on the switch?
Thanks
tquinna
13 Posts
0
May 9th, 2006 13:00
tquinna
13 Posts
0
May 9th, 2006 13:00
DELL-Adam N
128 Posts
0
May 10th, 2006 07:00
tquinna
13 Posts
0
May 10th, 2006 12:00
tquinna
13 Posts
0
May 10th, 2006 12:00
On test #2 below, is the computer authenticated before anyone logs in (i.e. when the computer is sitting at the login screen)? Do you see that the computer account is the one that authenticated when viewing the switch administrator?
I think that what you are seeing is the system is automatically sending your Windows username/password to the IAS server AFTER you have logged in (because you have selected the option to use Windows login name and password automatically). I do not believe that in this case, the computer account has been used for authentication.
Tom
DELL-Adam N
128 Posts
0
May 10th, 2006 12:00
Ok found out what the problem was with my certs. Basically I needed to rebuild the CA as a Enterprise root rather than a stand-alone root and that works. I have been testing this today and I can authenticate as computer.
Test1:
Laptop - Win XP SP2, Local logon.
Authenticate as computer enabled
Automatically use windows logon disabled
Reboot
After I have logged on locally I am prompted for credentials
DOT1X Authentication Successfull.
Test2:
Laptop - Win XP SP2, Domain Logon
Authenticate as computer enabled
Automatically use windows logon ENABLED
Reboot
Logon to laptop with domain username & password
DOT1X Authentication Successfull
Can you try the above tests and report back your results for comparison.
Thanks
DELL-Adam N
128 Posts
0
May 10th, 2006 13:00
tquinna
13 Posts
0
May 10th, 2006 14:00