Home > Dell, PC6248, PowerConnect, RADIUS > 2008R2 RADIUS Authentication for Dell PowerConnect 6248

2008R2 RADIUS Authentication for Dell PowerConnect 6248

First, let me cite my source, which was not only an excellent resource for the Dell PowerConnect/RADIUS in general, but also mentioned specific gotcha’s to be aware of on the PC62xx series switches – http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html

Now let’s get into the details…..

1) Configure the PowerConnect 6248 for RADIUS at the CLI

# Create a local admin account as a backup, if you don’t already have one. Level 15 = Admin.
username “nwadmin” password cf414d8908ca45e77fd2402e10a077f0 level 15 encrypted

# Configure a group for radius, and specify the order of authentication checking should be RADIUS then Local
aaa authentication login “RADIUSLIST” radius local

# Configure the first RADIUS server
radius-server host auth
name “Default-RADIUS-Server”
timeout 5
usage login
  key “<Shared Key Here>”

# Configure the secondary RADIUS server
# Scratch that. Nothing works if I have a second server listed. Need to investigate, as we need redundancy.
#radius-server host auth
# name “Default-RADIUS-Server”
# timeout 5
# usage login
# key “<Shared Key Here>”

# Configure Telnet logins to use the RADIUSLIST specified above
line telnet
login authentication RADIUSLIST

# Configure SSH logins to use the RADIUSLIST specified above
line ssh
login authentication RADIUSLIST

# Configure HTTP/HTTPS logins to use RADIUS first, then local
ip http authentication radius local
ip https authentication radius local

# Enable SSH server, don’t forget you have to enable the keys and such.
ip ssh server
ip ssh pubkey-auth

You CAN create lines for the “enable” vs “login” if you wish, but there are some extra hoops to jump through. Personally my preference is that if you have access to the device, then you get to configure it, the extra “enable” password is just a pain. I understand why it is there, but in my environment it’s not needed. Any line above that shows “login” would be duplicated with “enable”. Except you don’t get to specify the password locally. It is done by a special account in AD that must exist that Dell looks for – $enab15$. This is referenced from the source I was using (http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html) and goes into detail towards the bottom (near “after much head banging”). You’ll see this in your NPS logs looking something like:

“NW-DC2″,”IAS”,05/20/2012,01:39:52,3,,”NETWISE\$enab15$”,,,,,,,,0,”″,”NW-PC6248S1″,,,,,,,1,,16,”311 1 05/20/2012 07:02:28

That’s it.  Nothing else to do on the Dell CLI for me.

2) Create an NPS RADIUS Client

Login to the NPS server, and open NETWORK POLICY MANAGER from the Administrator Tools menu. Expand all the options.

Right click on RADIUS CLIENTS and click NEW:


Create a POLICY with the information shown:


FRIENDLY NAME = whatever you like. Probably the hostname. ADDRESS is the IP Address or DNS name of the device – your choice. Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the PowerConnect 6248 CLI at the beginning. Click OK to finish the config.

3) Create a new NPS Network Policy.


Right click on POLICIES -> NETWORK POLICY and click NEW

Give your policy a useful name. You probably only need the one policy for all Dell PowerConnect devices. However, if you have a large mix, they might need separate policies per device type or class.


Click NEXT

ADD a Condition:


Our condition is going to be WINDOWS GROUP. Click ADD.

On the WINDOWS GROUPS screen, click ADD GROUPS


Enter the name of your group and click check names, then ADD.


Your group might be Domain Admins. It might be a separate group. I’ve chosen “RADIUS – PowerConnect” so I can have different levels of RADIUS authentication based on switches, core switching if I had them, firewalls, etc.

Click OK. Click OK.

Let’s add another condition. Click ADD. Select the condition “CLIENT FRIENDLY NAME” and click ADD.


Enter the client friendly name. I use the HOSTNAME of the device. Click OK


With our group and our device, we can click NEXT


We do want access. Click NEXT.


The only one that matters, is to ensure that PAP is checked. Click NEXT.


Yup, that’s very bad, we get it. Click NO.


No constraints, we’re good. Click NEXT.


Select each of the FRAMED-PROTOCOL and SERVICE-TYPE and click REMOVE.


Now click ADD:


Choose SERVICE-TYPE and click ADD:





Click on VENDOR SPECIFIC. Then click ADD:


Choose NAME=CISCO-AV-PAIR and VENDOR=CISCO. Apparently Dell chose to use the Cisco options when creating their OS. Click ADD.


The ATTRIBUTE INFORMATION window will pop up. Click ADD.


Enter the string “shell:priv-lvl=15” to give Administrator level permissions. Click OK.


Click OK, Click OK, Click CLOSE.

Click NEXT to get to the COMPLETING screen:



At this point, you should be able to login to the PowerConnect 6248 using your domain credentials.

Soon, I’m hoping to have similar documents up for:

Categories: Dell, PC6248, PowerConnect, RADIUS
  1. Mat
    July 15, 2013 at 5:00 AM

    Yes – apparently Dell PowerConnect run the same/similar base OS (Broadcom FASTPATH) and most of this guide work for (managed) Netgears too.

    You can also use Administrative-User which is vendor neutral and seems to work with both Netgear as well as FASTPATH-based PowerConnect switches. – YMMV depending on exact switch model and Firmware version.

    • July 15, 2013 at 10:55 AM

      Thanks for the extra detail, that’s very good to know! Where would one use this information? In the RADIUS Vendor Specific options?

  1. August 1, 2016 at 10:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: