PowerConnect 5324 + 802.1x port security

Thank you very much for looking into this for me!  What you said is 100% correct.  802.1x works if the user is already logged into XP.

I know for a fact that the exact same setup works on other switches (For example, Cisco).  We have the XP systems setup properly to send the machine auth, but it looks like it never gets past the switch.

Hi


I am looking into this for you, I will get back to you. Just to confirm, if a user is already logged into XP, PEAP-MSCHAP-V2 802.1X authenticates the user sucessfully but you want the machine to be authenicated via PEAP before the user is prompted to login to the domain?

Thanks

Hi

I have found out why this is failing. PowerConnect switches currently only support 802.1X EAP-MD5 authentication, and because machine authentication requires a certificate its not going to work. We are planning to add PEAP support to the PC5324 switch in a firmware release which is due around the June time frame.

Sorry I cannot be of any further help.

Regards

Hi, The problem is that PowerConnect does not support PEAP at all, even if your using PEAP MSCHAPv2 it will not work. The only method of 802.1X authentication currently supported is EAP-MD5.

Sorry..


Rgds

Ok, I hate to contradict you but we have the PowerConnect working with PEAP (MSCHAPv2).  When a user is logged into the system, it is possible for them to authenticate to the switch fine with their username/password NOT using MD5.  The computers are configured for PEAD (MSCHAPv2) as well as our backend RADIUS server, which is Microsoft IAS.  This works fine. 

Ok...interesting. I am trying to get PEAP MSCHAPv2 working on my test setup but its failing, and thats without machine authentication. If I test using EAP-MD5 it works straight away. Can you PM me some details on your IAS setup, primarily what settings do you have configured on your remote access policys and your connection request policys.

Also, I am assuming that once a user authenticates you are able to see the username listed if you execute "show dot1x users" on the switch?


Thanks

just trying to get this setup on my IAS server but for some reason even after installing the server certificate on the IAS server when configuring PEAP it cannot find the cert...will keep working on it.

On test #2 below, is the computer authenticated before anyone logs in (i.e. when the computer is sitting at the login screen)?  Do you see that the computer account is the one that authenticated when viewing the switch administrator?

I think that what you are seeing is the system is automatically sending your Windows username/password to the IAS server AFTER you have logged in (because you have selected the option to use Windows login name and password automatically).  I do not believe that in this case, the computer account has been used for authentication.

Tom

Hi

Ok found out what the problem was with my certs. Basically I needed to rebuild the CA as a Enterprise root rather than a stand-alone root and that works. I have been testing this today and I can authenticate as computer.

Test1:

Laptop - Win XP SP2, Local logon.

Authenticate as computer enabled
Automatically use windows logon disabled
Reboot
After I have logged on locally I am prompted for credentials
DOT1X Authentication Successfull.

Test2:

Laptop - Win XP SP2, Domain Logon

Authenticate as computer enabled
Automatically use windows logon ENABLED
Reboot
Logon to laptop with domain username & password
DOT1X Authentication Successfull


Can you try the above tests and report back your results for comparison.

Thanks

yes your right..its the user account being used. If I just let the machine sit at the logon prompt then no authentication happens. I am going to have to get in contact with development and ask if machine authentication is possible.