Home > Dell, PC6248, PowerConnect, RADIUS > 2008R2 RADIUS Authentication for Dell PowerConnect 6248

2008R2 RADIUS Authentication for Dell PowerConnect 6248

First, let me cite my source, which was not only an excellent resource for the Dell PowerConnect/RADIUS in general, but also mentioned specific gotcha’s to be aware of on the PC62xx series switches – http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html

Now let’s get into the details…..

1) Configure the PowerConnect 6248 for RADIUS at the CLI

# Create a local admin account as a backup, if you don’t already have one. Level 15 = Admin.
username “nwadmin” password cf414d8908ca45e77fd2402e10a077f0 level 15 encrypted

# Configure a group for radius, and specify the order of authentication checking should be RADIUS then Local
aaa authentication login “RADIUSLIST” radius local

# Configure the first RADIUS server
radius-server host auth 10.0.0.2
name “Default-RADIUS-Server”
timeout 5
usage login
  key “<Shared Key Here>”
exit

# Configure the secondary RADIUS server
# Scratch that. Nothing works if I have a second server listed. Need to investigate, as we need redundancy.
#radius-server host auth 10.0.0.5
# name “Default-RADIUS-Server”
# timeout 5
# usage login
# key “<Shared Key Here>”
#exit

# Configure Telnet logins to use the RADIUSLIST specified above
line telnet
login authentication RADIUSLIST
exit

# Configure SSH logins to use the RADIUSLIST specified above
line ssh
login authentication RADIUSLIST
exit

# Configure HTTP/HTTPS logins to use RADIUS first, then local
ip http authentication radius local
ip https authentication radius local

# Enable SSH server, don’t forget you have to enable the keys and such.
ip ssh server
ip ssh pubkey-auth

You CAN create lines for the “enable” vs “login” if you wish, but there are some extra hoops to jump through. Personally my preference is that if you have access to the device, then you get to configure it, the extra “enable” password is just a pain. I understand why it is there, but in my environment it’s not needed. Any line above that shows “login” would be duplicated with “enable”. Except you don’t get to specify the password locally. It is done by a special account in AD that must exist that Dell looks for – $enab15$. This is referenced from the source I was using (http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html) and goes into detail towards the bottom (near “after much head banging”). You’ll see this in your NPS logs looking something like:

“NW-DC2″,”IAS”,05/20/2012,01:39:52,3,,”NETWISE\$enab15$”,,,,,,,,0,”10.0.0.99″,”NW-PC6248S1″,,,,,,,1,,16,”311 1 10.0.0.2 05/20/2012 07:02:28

That’s it.  Nothing else to do on the Dell CLI for me.

2) Create an NPS RADIUS Client

Login to the NPS server, and open NETWORK POLICY MANAGER from the Administrator Tools menu. Expand all the options.

Right click on RADIUS CLIENTS and click NEW:

clip_image001

Create a POLICY with the information shown:

clip_image002

FRIENDLY NAME = whatever you like. Probably the hostname. ADDRESS is the IP Address or DNS name of the device – your choice. Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the PowerConnect 6248 CLI at the beginning. Click OK to finish the config.

3) Create a new NPS Network Policy.

clip_image003

Right click on POLICIES -> NETWORK POLICY and click NEW

Give your policy a useful name. You probably only need the one policy for all Dell PowerConnect devices. However, if you have a large mix, they might need separate policies per device type or class.

clip_image004

Click NEXT

ADD a Condition:

clip_image005

Our condition is going to be WINDOWS GROUP. Click ADD.

On the WINDOWS GROUPS screen, click ADD GROUPS

clip_image006

Enter the name of your group and click check names, then ADD.

clip_image007

Your group might be Domain Admins. It might be a separate group. I’ve chosen “RADIUS – PowerConnect” so I can have different levels of RADIUS authentication based on switches, core switching if I had them, firewalls, etc.

Click OK. Click OK.

Let’s add another condition. Click ADD. Select the condition “CLIENT FRIENDLY NAME” and click ADD.

clip_image008

Enter the client friendly name. I use the HOSTNAME of the device. Click OK

clip_image009

With our group and our device, we can click NEXT

clip_image010

We do want access. Click NEXT.

clip_image011

The only one that matters, is to ensure that PAP is checked. Click NEXT.

clip_image012

Yup, that’s very bad, we get it. Click NO.

clip_image013

No constraints, we’re good. Click NEXT.

clip_image014

Select each of the FRAMED-PROTOCOL and SERVICE-TYPE and click REMOVE.

clip_image015

Now click ADD:

clip_image016

Choose SERVICE-TYPE and click ADD:

clip_image017

Change OTHERS to ADMINISTRATIVE and click OK:

clip_image018

Click CLOSE

Click on VENDOR SPECIFIC. Then click ADD:

clip_image019

Choose NAME=CISCO-AV-PAIR and VENDOR=CISCO. Apparently Dell chose to use the Cisco options when creating their OS. Click ADD.

clip_image020

The ATTRIBUTE INFORMATION window will pop up. Click ADD.

clip_image021

Enter the string “shell:priv-lvl=15” to give Administrator level permissions. Click OK.

clip_image022

Click OK, Click OK, Click CLOSE.

Click NEXT to get to the COMPLETING screen:

clip_image023

Click FINISH.

At this point, you should be able to login to the PowerConnect 6248 using your domain credentials.

Soon, I’m hoping to have similar documents up for:

Advertisements
Categories: Dell, PC6248, PowerConnect, RADIUS
  1. Mat
    July 15, 2013 at 5:00 AM

    Yes – apparently Dell PowerConnect run the same/similar base OS (Broadcom FASTPATH) and most of this guide work for (managed) Netgears too.

    You can also use Administrative-User which is vendor neutral and seems to work with both Netgear as well as FASTPATH-based PowerConnect switches. – YMMV depending on exact switch model and Firmware version.

    • July 15, 2013 at 10:55 AM

      Thanks for the extra detail, that’s very good to know! Where would one use this information? In the RADIUS Vendor Specific options?

  1. August 1, 2016 at 10:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: