Archive

Archive for the ‘PC6248’ Category

2008R2 RADIUS Authentication for Dell PowerConnect 6248

May 20, 2012 3 comments

First, let me cite my source, which was not only an excellent resource for the Dell PowerConnect/RADIUS in general, but also mentioned specific gotcha’s to be aware of on the PC62xx series switches – http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html

Now let’s get into the details…..

1) Configure the PowerConnect 6248 for RADIUS at the CLI

# Create a local admin account as a backup, if you don’t already have one. Level 15 = Admin.
username “nwadmin” password cf414d8908ca45e77fd2402e10a077f0 level 15 encrypted

# Configure a group for radius, and specify the order of authentication checking should be RADIUS then Local
aaa authentication login “RADIUSLIST” radius local

# Configure the first RADIUS server
radius-server host auth 10.0.0.2
name “Default-RADIUS-Server”
timeout 5
usage login
  key “<Shared Key Here>”
exit

# Configure the secondary RADIUS server
# Scratch that. Nothing works if I have a second server listed. Need to investigate, as we need redundancy.
#radius-server host auth 10.0.0.5
# name “Default-RADIUS-Server”
# timeout 5
# usage login
# key “<Shared Key Here>”
#exit

# Configure Telnet logins to use the RADIUSLIST specified above
line telnet
login authentication RADIUSLIST
exit

# Configure SSH logins to use the RADIUSLIST specified above
line ssh
login authentication RADIUSLIST
exit

# Configure HTTP/HTTPS logins to use RADIUS first, then local
ip http authentication radius local
ip https authentication radius local

# Enable SSH server, don’t forget you have to enable the keys and such.
ip ssh server
ip ssh pubkey-auth

You CAN create lines for the “enable” vs “login” if you wish, but there are some extra hoops to jump through. Personally my preference is that if you have access to the device, then you get to configure it, the extra “enable” password is just a pain. I understand why it is there, but in my environment it’s not needed. Any line above that shows “login” would be duplicated with “enable”. Except you don’t get to specify the password locally. It is done by a special account in AD that must exist that Dell looks for – $enab15$. This is referenced from the source I was using (http://www.darylhunter.me/blog/2010/06/dell-powerconnect-radius-windows-server-2008-nps.html) and goes into detail towards the bottom (near “after much head banging”). You’ll see this in your NPS logs looking something like:

“NW-DC2″,”IAS”,05/20/2012,01:39:52,3,,”NETWISE\$enab15$”,,,,,,,,0,”10.0.0.99″,”NW-PC6248S1″,,,,,,,1,,16,”311 1 10.0.0.2 05/20/2012 07:02:28

That’s it.  Nothing else to do on the Dell CLI for me.

2) Create an NPS RADIUS Client

Login to the NPS server, and open NETWORK POLICY MANAGER from the Administrator Tools menu. Expand all the options.

Right click on RADIUS CLIENTS and click NEW:

clip_image001

Create a POLICY with the information shown:

clip_image002

FRIENDLY NAME = whatever you like. Probably the hostname. ADDRESS is the IP Address or DNS name of the device – your choice. Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the PowerConnect 6248 CLI at the beginning. Click OK to finish the config.

3) Create a new NPS Network Policy.

clip_image003

Right click on POLICIES -> NETWORK POLICY and click NEW

Give your policy a useful name. You probably only need the one policy for all Dell PowerConnect devices. However, if you have a large mix, they might need separate policies per device type or class.

clip_image004

Click NEXT

ADD a Condition:

clip_image005

Our condition is going to be WINDOWS GROUP. Click ADD.

On the WINDOWS GROUPS screen, click ADD GROUPS

clip_image006

Enter the name of your group and click check names, then ADD.

clip_image007

Your group might be Domain Admins. It might be a separate group. I’ve chosen “RADIUS – PowerConnect” so I can have different levels of RADIUS authentication based on switches, core switching if I had them, firewalls, etc.

Click OK. Click OK.

Let’s add another condition. Click ADD. Select the condition “CLIENT FRIENDLY NAME” and click ADD.

clip_image008

Enter the client friendly name. I use the HOSTNAME of the device. Click OK

clip_image009

With our group and our device, we can click NEXT

clip_image010

We do want access. Click NEXT.

clip_image011

The only one that matters, is to ensure that PAP is checked. Click NEXT.

clip_image012

Yup, that’s very bad, we get it. Click NO.

clip_image013

No constraints, we’re good. Click NEXT.

clip_image014

Select each of the FRAMED-PROTOCOL and SERVICE-TYPE and click REMOVE.

clip_image015

Now click ADD:

clip_image016

Choose SERVICE-TYPE and click ADD:

clip_image017

Change OTHERS to ADMINISTRATIVE and click OK:

clip_image018

Click CLOSE

Click on VENDOR SPECIFIC. Then click ADD:

clip_image019

Choose NAME=CISCO-AV-PAIR and VENDOR=CISCO. Apparently Dell chose to use the Cisco options when creating their OS. Click ADD.

clip_image020

The ATTRIBUTE INFORMATION window will pop up. Click ADD.

clip_image021

Enter the string “shell:priv-lvl=15” to give Administrator level permissions. Click OK.

clip_image022

Click OK, Click OK, Click CLOSE.

Click NEXT to get to the COMPLETING screen:

clip_image023

Click FINISH.

At this point, you should be able to login to the PowerConnect 6248 using your domain credentials.

Soon, I’m hoping to have similar documents up for:

Advertisements
Categories: Dell, PC6248, PowerConnect, RADIUS

Recovering a Dell PowerConnect 6248 from bad flash

May 13, 2012 10 comments

I took an opportunity to try to get my switches configured for my home lab yesterday – that ended up taking me down a rabbit hole.  It would appear I had the original firmware loaded and the folks I bought the switches from had never upgraded.  As I’ve recently done a number of PowerConnect deployments, I figured this would be a quick effort – upgrade to v2.x then v3.x and go about my day.

Boy was I wrong.

I did manage to get to v2.1.1.4, but upon trying to load up v3.3.3.3, my primary switch indicated that the flash had errors.  So of course, I retried.  This just gave me the same error, just as persistently.   Then I started digging.  In no real particular order, where is what I learned through the day:

  • This is not all that uncommon.  A colleague of mine has had to do this a few times when power failures had corrupted the existing flash.
  • The PC62xx series has a “secret” boot menu, which allows some more direct diagnostics.
  • Through the normal boot menu, you can test and reformat the flash.  Through the “secret” menu, you can perform chkdsk, and recreate the image1/image2 flash area on the disks though.
  • PuTTY, doesn’t have XMODEM.  My heart broke a little when my go-to tool, went.  TeraTerm, however, is a free alternative that works with XMODEM!
  • If you’re connected to the switch at 9600,8,n,1, and trying to upload over XMODEM, you MIGHT want to change the baud to 115,200.  It’s been so long since I did anything serially, that I forgot about this the first time and it took 3.5 hours to upload.  The same colleague (thanks Rick Byrne!) mentioned above also pointed out there is an XMODEM/1K option in TeraTerm that helps make it go faster – ultimately less than 15 minutes.

This link http://en.community.dell.com/support-forums/network-switches/f/866/t/19252166.aspx ultimately has a pretty decent walk through of the process on the switch.   These steps include:

  • Power-Cycle and boot into the Boot Code menu
  • Select Option 6 to Run Flash Diagnostics for 123 sectors – takes about 3 minutes, twice.
  • Power-Cycle and boot into the Boot Code menu
  • It will format the flash, and ask you for the MAC and S/T of the switch – which should be on a sticker on the back of the unit.
  • Select Option 30 (not listed) and enter the password “pc62xxkinnick” to gain access to the DevShell
    • Select Option 15 and enter creat(‘image1’,2) with single quotes and no “e” on create.
    • Select Option 15 and enter creat(‘image2’,2) with single quotes and no “e” on create.
  • Power-Cycle and boot into the Boot Code menu
  • Select Option 2 and change the baud rate to 115,200.  Immediately after doing so,  you’ll need to do the same in TeraTerm so that you can continue your session.
  • Select Option 4 to download via XMODEM, and select XMODEM/1K
  • When you see the CKCKCKCK starting at the bottom, click FILE –> TRANSFER –> XMODEM –> SEND.  Check off the 1K radio button at the bottom and select your file.  The console indicates it is waiting for XCODE.BIN – your file can be named as it comes (ie: PC6200v3.3.3.3.stk) as the XCODE.BIN is just what it receives the file as.  When it unpacks it, verifies it and writes it to flash, it names it correctly.
  • When that is complete, at the Boot Menu, select Option 7 to Update Boot Code.  This will do so, and reset the switch(es).  Make sure you reset your term program to 9600 baud, or after it reboots and defaults back to 9600 baud, you will think you have an issue with the switches.

I wish I had some of the screen shots from my failure, as it would let me capture the exact wording so if in the future someone is having a similar option they might find my post.  But via the above, I was able to get the switches up to v3.3.3.3.  Switch 1 still has some issue with Image1 area of the flash, but I can live with that for now.

Categories: Dell, Hardware, PC6248, PowerConnect