Start a Conversation

Unsolved

This post is more than 5 years old

52896

May 7th, 2006 23:00

PowerConnect 5324 + 802.1x port security

I have a Dell PowerConnect 5324 with the newest firmware and boot code.
 
I am trying to get 802.1x port authentication working with a Microsoft IAS server running on Windows Server 2003.  802.1x port authentication functions normally on the 5324 if a user performs the authentication after Windows XP is already logged into.  We are using PEAP (MSCHAPv2)
 
What we want working is machine authentication where the system authenticates to the switch and is provided network access before a user logs in.  Microsoft Windows XP is capable of this type of 802.1x authentication by providing the computer name/password to IAS.  It appears that the switch is getting confused by machine authentication where the username is of the form host/machine.domain.com.
 
I have a packet sniffer setup and when machine authentication is attempted, no traffic is sent to the IAS server at all.  When user authentication is used, everything work fine as stated above.
 
Does anyone know if the 5324 supports machine based 802.1x auth?

13 Posts

May 8th, 2006 14:00

Thank you very much for looking into this for me!  What you said is 100% correct.  802.1x works if the user is already logged into XP.

I know for a fact that the exact same setup works on other switches (For example, Cisco).  We have the XP systems setup properly to send the machine auth, but it looks like it never gets past the switch.

128 Posts

May 8th, 2006 14:00

Hi


I am looking into this for you, I will get back to you. Just to confirm, if a user is already logged into XP, PEAP-MSCHAP-V2 802.1X authenticates the user sucessfully but you want the machine to be authenicated via PEAP before the user is prompted to login to the domain?

Thanks

128 Posts

May 9th, 2006 07:00

Hi

I have found out why this is failing. PowerConnect switches currently only support 802.1X EAP-MD5 authentication, and because machine authentication requires a certificate its not going to work. We are planning to add PEAP support to the PC5324 switch in a firmware release which is due around the June time frame.

Sorry I cannot be of any further help.

Regards

128 Posts

May 9th, 2006 11:00

Hi, The problem is that PowerConnect does not support PEAP at all, even if your using PEAP MSCHAPv2 it will not work. The only method of 802.1X authentication currently supported is EAP-MD5.

Sorry..


Rgds

13 Posts

May 9th, 2006 11:00

Thanks again for looking into this.
 
One other thing I should mention:  Machine authentication does work with certificates, but it is also possible to have machine authentication work with the machine's username/password, identical to the way user's authenticate.  This is the way we have it setup (using the machine's username/password and NOT certificates).  As I said before, this is functional on other switches (Cisco) so we know it works properly.  It it at all possible the PowerConnect is confused by the format of the username provided by the computer (host/computer.domain.com)?  Would it be possible for you to check on this for me? 
 
Thank you.

13 Posts

May 9th, 2006 12:00

Ok, I hate to contradict you but we have the PowerConnect working with PEAP (MSCHAPv2).  When a user is logged into the system, it is possible for them to authenticate to the switch fine with their username/password NOT using MD5.  The computers are configured for PEAD (MSCHAPv2) as well as our backend RADIUS server, which is Microsoft IAS.  This works fine. 

128 Posts

May 9th, 2006 12:00

Ok...interesting. I am trying to get PEAP MSCHAPv2 working on my test setup but its failing, and thats without machine authentication. If I test using EAP-MD5 it works straight away. Can you PM me some details on your IAS setup, primarily what settings do you have configured on your remote access policys and your connection request policys.

Also, I am assuming that once a user authenticates you are able to see the username listed if you execute "show dot1x users" on the switch?


Thanks

13 Posts

May 9th, 2006 13:00

On the remote access policies for IAS:
 
Policy Name: test
Policy Conditions: NAS-Port-Type matches "Ethernet"
Profile -> Authentication Tab -> no boxes checked -> EAP Button -> PEAP Selected -> Edit button -> Secure Password (EAP-MSCHAP v2) and the certificate issued is selected with the certificate of the IAS server
 
note: Only a certificate for the IAS server itself is required.
 
 
On the client:
For the NIC in question, PEAP is selected as the EAP type -> Properties button -> Secure password (EAP-MSCHAP v2) is selected as the Select Authentication Method
 
 
Thanks,
Tom
 
 

13 Posts

May 9th, 2006 13:00

I forgot to answer your other question:
 
Yes, within the switch administrator, I do see the username of the person who authenticates.
 
Incidentally, when authenticating in this way I have to enter the user as:
 
username: domain\username
password: password
domain:

128 Posts

May 10th, 2006 07:00

just trying to get this setup on my IAS server but for some reason even after installing the server certificate on the IAS server when configuring PEAP it cannot find the cert...will keep working on it.

13 Posts

May 10th, 2006 12:00

I could email you a document on how to set this up, if you like.

13 Posts

May 10th, 2006 12:00

On test #2 below, is the computer authenticated before anyone logs in (i.e. when the computer is sitting at the login screen)?  Do you see that the computer account is the one that authenticated when viewing the switch administrator?

I think that what you are seeing is the system is automatically sending your Windows username/password to the IAS server AFTER you have logged in (because you have selected the option to use Windows login name and password automatically).  I do not believe that in this case, the computer account has been used for authentication.

Tom

128 Posts

May 10th, 2006 12:00

Hi

Ok found out what the problem was with my certs. Basically I needed to rebuild the CA as a Enterprise root rather than a stand-alone root and that works. I have been testing this today and I can authenticate as computer.

Test1:

Laptop - Win XP SP2, Local logon.

Authenticate as computer enabled
Automatically use windows logon disabled
Reboot
After I have logged on locally I am prompted for credentials
DOT1X Authentication Successfull.

Test2:

Laptop - Win XP SP2, Domain Logon

Authenticate as computer enabled
Automatically use windows logon ENABLED
Reboot
Logon to laptop with domain username & password
DOT1X Authentication Successfull


Can you try the above tests and report back your results for comparison.

Thanks

128 Posts

May 10th, 2006 13:00

yes your right..its the user account being used. If I just let the machine sit at the logon prompt then no authentication happens. I am going to have to get in contact with development and ask if machine authentication is possible.

13 Posts

May 10th, 2006 14:00

Thank you very much
No Events found!

Top