« Cisco IOS-fu #7 - Cisco + RADIUS + Windows Server 2008 NPS | Main | My Three Words - First Half 2010 Checkup »

06/17/2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

p_e_allen

That is awesome information... Thanks for sharing.

BH

Regarding the 62xx issue. (this also applies to the Dell M6220, M6348, M8024, 8024F, 8024)

No issues with their switch configuration.

However, they did authenticate, but not administratively. I believe their root issue is with the RADIUS server user configuration. They are using Cisco-AV-Pairs to configure the user’s administrative rights (shell:priv-lvl=15). These devices do not support Cisco-AV-Pairs. Instead you must use ‘Service-Type = Administrative’ to assign a user admin level 15 rights (or ‘Service-Type = NAS Prompt’ for user level 1). We had our network device vendor clarify this in their Configuration Guide, but Cisco-AV-Pairs do work with other Dell products, so this invites confusion.

DW Hunter

BH - thanks for stopping by.

I cannot get this to work with "Service-Type = Administrative" giving a user admin level 15 rights.

It authenticates with the > prompt (and not the # prompt) which means the user is not given level 15

I've spent many weeks on it and just cannot get a 62xx to get level 15 access.

I've tried ST = Login and ST = Administrative both with and without the Cisco-AV-Pairs string text.

Can you reference any specific setup - including screen shots - that successfully has a 62xx and Server 2008 NPS (not Server 2003 IAS) talking RADIUS? I cannot find one. My calls to Dell support have not been helpful either.

Thanks,

--DW

Eggman

With my work on implementing RADIUS on the Dell 5224 switch, I have found that the switch has an 8-character password limitation (as do the Dell 32xx series switches).

With the default password complexity requirements in Active Directory, if your user passwords are over 8 characters long you will get authentication failures as the 5224 will truncate the passwords down to 8 digits. You will see the authentication failure in the system event log as "username/password incorrect" (or something to that effect).

Either you have to change the password complexity requirements in AD to suit the 5224's 8-character password limitation (highly undesirable), or just realize the 5224 is an old dinosaur and should be replaced with something newer. I chose the latter.

DW Hunter

Hey Eggman--

That's great info re: the 8-character password limitation. I've run into that as well. Thanks for sharing that.

--DW

Howard F

So did anyone get 6248 and/or 8024 working with a windows 2008R2 NPS implementation?

DW Hunter

Howard--

Yes! This post was updated in August with what you needed to accomplish. Scroll up to the few paragraphs above the comments. This was resolved with a proper understanding of the $enab15$ username.

--DW

Ron U

Has anyone tried 54xx, NPS with Port Authentication? We're having some odd issues. With clients not being able to reconnect

Joe Keglovitz

Been banging my head against this for HOURS and just did the $enab15$ username trick. Thanks for the tip.

John Ball

Following this guide wasn't the end for me. I also had to add a "Connection Request Policy" which pretty much mimicked the settings that you provided in this guide. Once I added a policy under connection request policies, all of our domain admins were able to authenticate. Thank you so much for getting us headed in the right direction. I was lost without it!

Zulzig

So did anyone get 5448 working with a windows 2008R2 NPS implementation

Don H

Thanks for the great post.
FYI, I ran into an issue with my PowerConnect 6224, 3.3.13.1, VxWorks 6.5. The radius key length could only be 48 characters or shorter to a 2008R2 NPS. The radius server would accept the incoming request but kept saying the user failed authentication.

And make sure to reload the switch after initial radius setup. Everything started working better after a reload.

The comments to this entry are closed.

Twitter Updates

    follow me on Twitter