Header Only - DO NOT REMOVE - Extreme Networks

Radius Authentication configuring switch x440 as a client in NPS-Windows Server 2008 Enterprise.

  • 24 February 2016
  • 28 replies
  • 2922 views

Good afternoon.
I trying to accomplish Radius authentication, configuring switch x440 as a client in NPS-Windows Server 2008 Enterprise.
How should the settings on XOS and the NPS?
We have already used successfully authenticating switches EOS.
I thank the support.

28 replies

Userlevel 7
I was also looking for that as I'd need to test it in my lab.

Here a article that I've found - haven't tried it today as I run out of time....

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...
Userlevel 6
Hi Helio,

If you need to authenticate the users to get access to manage the switch, you can use the commands below for the switch:

configure radius mgmt-access primary server client-ip {vr vr_name}
configure radius mgmt-access primary shared-secret
enable radius mgmt-access

For NPS, you can find an example in the GTAC Knowledge link below:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Windows-2008-NPS-for-auth...
Hi Helio,

If you need to authenticate the users to get access to manage the switch, you can use the commands below for the switch:

configure radius mgmt-access primary server client-ip {vr vr_name}
configure radius mgmt-access primary shared-secret
enable radius mgmt-access

For NPS, you can find an example in the GTAC Knowledge link below:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Windows-2008-NPS-for-auth...
Hi, Can you please send the document link again
Hi Henrique,

The authentication is working, however the Active Directory user always gets RO permission. How to have RW permission?
No need something similar to Filter-Id, as used with EOS switches (Enterasys: version = 1: mgmt = rw)?

Thank you
Userlevel 7
So here the article for mgmt access for the switch...

Service-Type = Administrative-User

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for...
Hi Ronald,

It is already configured as Service-Type = Administrative-User
See screenshot.



Thanks
Userlevel 7
Please take a look into this post - it includes a pdf link with screenshots of my working setup

https://community.extremenetworks.com/extreme/topics/microsoft-nps-server-vsa-configuration-for-extr...

Please doublecheck the settings and if it still doens't work post a screenshot of the Windows event log message of the authentication - I'd like to see whether the right network policy is choosen.
Hi Ronald,

See screenshots.

Thanks

Screenshot 2

Screenshot 3

Screenshot 4

Screenshot 4

Hi Ronald,

Do you have some more help to give?
You checked the screenshots ?

Thank you
Userlevel 6
Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

Hi Daniel,
Retired VSA.
Service-Type attribute is setted as Administrative, however it continues authentication as user USER. How to do to be authenticated as ADMIN?

Thanks..




Userlevel 6
Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

Can you try using "RADIUS Standard" for Network Access Server Vendor in "Vendor Specific Attribute Information" window instead of 1916 (Extreme vendor ID)?

Also, use "Administrative" attribute as mentioned by Daniel.
Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

Hi Henrique,

Unsuccessfully.

Other any suggestions ?

Thanks
Userlevel 6
Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

Hi Helio, just a confirmation.

Is Slot-1 Stack Master node?

Can you please send a show stacking output?
Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

Hi Henrique,

Yes, slot-1 is master node.

Userlevel 6
Helio,

Did you restart NPS server? Changes don't usually take effect until you restart the server.

To stop it, right click on the NPS server name and select Stop NPS Service.



To restart, do the same but now the option will say Start NPS Service.
Userlevel 6
Helio,

I've asked one of our SE's in Brazil to get in touch with you and help you sort this out.

Once it is running, please come back and tell us what the solution was, so other users can learn about it.
Hi Daniel,

We await contact support Brazil. We will inform when we have the solution to the case.
Grateful for the attention
Hi Daniel,

We await contact support Brazil. We will inform when we have the solution to the case.
Grateful for the attention

Hi Helio,

Can you share your personal contact with me?
Please, send to gdrumond@extremenetworks.com.

Thanks,
Hi Daniel,

We await contact support Brazil. We will inform when we have the solution to the case.
Grateful for the attention

Hi Guilherme,

Sent to your email.

Tks
Hi Daniel.

Using Radius Server linked to Active Directory only works by checking the option in the Policy as screen print.

Look:

https://gtacknowledge.extremenetworks.com/articles/Solution/RADIUS-Authorization-not-working-due-to-Windows-Active-Directory-account-restrictions/

Grateful for the attention of all.

Hello Helio,

On Active directory go to user --> right click on user --> go to property --> go to Dial-in tab --> Check radio button allow access in network access permission section and click on apply and ok.

Hope it will helpful.

Regards,
Manas Ranjan
+91 9619551266

Reply