Radius Authentication configuring switch x440 as a client in NPS-Windows Server 2008 Enterprise.

  • 2
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Good afternoon.
I trying to accomplish Radius authentication, configuring switch x440 as a client in NPS-Windows Server 2008 Enterprise.
How should the settings on XOS and the NPS?
We have already used successfully authenticating switches EOS.
I thank the support.
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Posted 3 years ago

  • 2
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,266 Points 50k badge 2x thumb
I was also looking for that as I'd need to test it in my lab.

Here a article that I've found - haven't tried it today as I run out of time....

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi Helio,

If you need to authenticate the users to get access to manage the switch, you can use the commands below for the switch:

configure radius mgmt-access primary server <server_ipaddr> client-ip <client_ipaddr> {vr vr_name}
configure radius mgmt-access primary shared-secret <secret_key>
enable radius mgmt-access

For NPS, you can find an example in the GTAC Knowledge link below:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Windows-2008-NPS-for-auth...
Photo of Gowtham Elamurugan

Gowtham Elamurugan

  • 70 Points
Hi, Can you please send the document link again
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb
Hi Henrique,

The authentication is working, however the Active Directory user always gets RO permission. How to have RW permission?
No need something similar to Filter-Id, as used with EOS switches (Enterasys: version = 1: mgmt = rw)?

Thank you
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,266 Points 50k badge 2x thumb
So here the article for mgmt access for the switch...

Service-Type = Administrative-User

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-RADIUS-authentication-for...
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Ronald,

It is already configured as Service-Type = Administrative-User
See screenshot.

Thanks

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,266 Points 50k badge 2x thumb
Please take a look into this post - it includes a pdf link with screenshots of my working setup

https://community.extremenetworks.com/extreme/topics/microsoft-nps-server-vsa-configuration-for-extr...

Please doublecheck the settings and if it still doens't work post a screenshot of the Windows event log message of the authentication - I'd like to see whether the right network policy is choosen.
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Ronald,

See screenshots.

Thanks


Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb
Screenshot 2
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb
Screenshot 3
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Screenshot 4


Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Ronald,

Do you have some more help to give?
You checked the screenshots ?


Thank you

Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Jose,

VSA 201 (Extreme-CLI-Authorization) set to Enable in Screenshot 2 forces EXOS to send each command to the RADIUS server for checking it against a profile to see if the user is authorized to issue that command or not. This feature is only available with a modified FreeRadius server.

Either delete this VSA or set it to 0 (Disable).

What you need to include in your user profile is the default Radius attribute Service-Type set to Administrative...

(Edited)
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb
Hi Daniel,

Retired VSA.
Service-Type attribute is setted as Administrative, however it continues authentication as user USER. How to do to be authenticated as ADMIN?

Thanks..



Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Can you try using "RADIUS Standard" for Network Access Server Vendor in "Vendor Specific Attribute Information" window instead of 1916 (Extreme vendor ID)?

Also, use "Administrative" attribute as mentioned by Daniel.
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Henrique,

Unsuccessfully.

Other any suggestions ?

Thanks


Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Helio, just a confirmation.

Is Slot-1 Stack Master node?

Can you please send a show stacking output?
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Henrique,

Yes, slot-1 is master node.

Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Helio,

Did you restart NPS server? Changes don't usually take effect until you restart the server.

To stop it, right click on the NPS server name and select Stop NPS Service.



To restart, do the same but now the option will say Start NPS Service.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Helio,

I've asked one of our SE's in Brazil to get in touch with you and help you sort this out.

Once it is running, please come back and tell us what the solution was, so other users can learn about it.
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Daniel,

We await contact support Brazil. We will inform when we have the solution to the case.
Grateful for the attention

Photo of Guilherme Drumond

Guilherme Drumond, Employee

  • 80 Points 75 badge 2x thumb
Hi Helio,

Can you share your personal contact with me?
Please, send to gdrumond@extremenetworks.com.

Thanks,
Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb

Hi Guilherme,

Sent to your email.

Tks


Photo of Helio Jose Erhardt

Helio Jose Erhardt

  • 460 Points 250 badge 2x thumb
Hi Daniel.


Using Radius Server linked to Active Directory only works by checking the option in the Policy as screen print.

Look:

https://gtacknowledge.extremenetworks.com/articles/Solution/RADIUS-Authorization-not-working-due-to-Windows-Active-Directory-account-restrictions/

Grateful for the attention of all.





(Edited)
Photo of MANAS BEHERA

MANAS BEHERA

  • 210 Points 100 badge 2x thumb
Hello Helio,

On Active directory go to user --> right click on user --> go to property --> go to Dial-in tab --> Check radio button allow access in network access permission section and click on apply and ok.

Hope it will helpful.

Regards, 
Manas Ranjan
+91 9619551266
Photo of Sean

Sean

  • 60 Points
I had the same problem with some new X460G2 running 16.1 but not X450A running 15.3.
I did not have the same problem in my lab  which uses freeradius running on a raspberry Pi, So sniffed the traffic with wireshark and saw some vendor specfic stuff in the NPS reply that was not in the freeradius reply. I checked in NPS and it was set to service type admin (6) but it also saw it had vendor specific  setting =  Radius Standard. I removed this, - so I now have no vendor specific setting and it is  good for firmware 15 and 16. It was annoying this behavour change between firmware versions was not documented either in the command guide or concepts guide. I found nothing about using vendor specific values and little about the a windows radius server in these docs. I like freeradius but, it is not easy to setup to force users to change thier own passwords regularly.