Reply

GS108T port authentication with 802.1x problem

polecats
Aspirant

GS108T port authentication with 802.1x problem

Recently I bought a couple of GS108T switches that I'm supposed to use together with 802.1x authentication.

I set up a PKI structure that worked good and used NPS (network policy server) on Win 2k8 to manage the 802.1x.

It didn't work, and after a while when I tried tried and tried again I decided to call the Netgear support here i Sweden. I asked them how long the PKI-keyes for the certificates can be (2048 or 4096-bit or something like that). They started a case and now I got an answer:

"Notes added by 30002
GS108T and all smart switches only allow port authetication using MD5
Certificate based port authetication is not supported.

To have suppport you need managed switch"


Now two questions:

1) Isn't GS108T a managed switch?

2) I now certificates aren't supporter, which are the options that I can use instead for 802.1x? Please give me some examples/ideas 🙂

Thanks!

/Calle
Message 1 of 8

Accepted Solutions
polecats
Aspirant

Re: GS108T port authentication with 802.1x problem

NogNeetMachinaal wrote:
Hello,

What settings did you use on all three for making this work?
For now, I would settle for EAP-MD5.


Grtz - Will


You have to unlock EAP-MD5 in 2008 Server and then choose it in Network Policy Server as authentication option.

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64...

I think they have removed it in Server 2008 R2 though.

View solution in original post

Message 8 of 8

All Replies
beisser
Aspirant

Re: GS108T port authentication with 802.1x problem

polecats wrote:
Recently I bought a couple of GS108T switches that I'm supposed to use together with 802.1x authentication. I set up a PKI structure that worked good and used NPS (network policy server) on Win 2k8 to manage the 802.1x. It didn't work, and after a while when I tried tried and tried again I decided to call the Netgear support here i Sweden. I asked them how long the PKI-keyes for the certificates can be (2048 or 4096-bit or something like that). They started a case and now I got an answer: "Notes added by 30002 GS108T and all smart switches only allow port authetication using MD5 Certificate based port authetication is not supported. To have suppport you need managed switch" Now two questions: 1) Isn't GS108T a managed switch? 2) I now certificates aren't supporter, which are the options that I can use instead for 802.1x? Please give me some examples/ideas :) Thanks! /Calle
you can use md5 instead of certificates (md5 is way less secure of course). the only switches that support eap (what you want to use) are the big 7000 series switches.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook
Message 2 of 8
fordem
Mentor

Re: GS108T port authentication with 802.1x problem

No - the GS108T is not a managed switch, it's what's called a SmartSwitch, in that it has limited management capabilties, rather than being fully managed. It is also significantly cheaper.

I've only used 802.1x authentication in a wireless environment so I can't assist with the second question.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 3 of 8
polecats
Aspirant

Re: GS108T port authentication with 802.1x problem

Thanks for the replies.

It's only the FSMxxxx switches that support EAP certificates? (where the "M" in FSM stands for managed)

There are NO information about this in the specification pages or any of the manuals for both the GS108T and the FS728TS switches. How am I able to figure this out before purchasing? The specs says "IEEE 802.1x".

Now I have 7 GS108T and 2 FS728TS, that I'm not sure that I can use together with Server 2008 Network Policy Server... Can I?

Big problem right now...
Message 4 of 8
polecats
Aspirant

Re: GS108T port authentication with 802.1x problem

beisser wrote:
you can use md5 instead of certificates (md5 is way less secure of course).

the only switches that support eap (what you want to use) are the big 7000 series switches.


Isn't MD5 Challenge an EAP part?
Which MD5 auth am I supposed to use?

Thanks.
Message 5 of 8
polecats
Aspirant

Re: GS108T port authentication with 802.1x problem

OK, I'm back.

Now I've got the EAP-MD5 auth to work Win2k8Srv - GS108T - XP client. The problem is that you can't save the password. This means that when you've restared the client you cannot log on as domain user, the port hasn't been authorized. This seems like a big limitation... gaaah. Does anyone have a solution?

I can't understand why cert isn't an option for the switch.
Message 6 of 8
NogNeetMachinaa
Aspirant

Re: GS108T port authentication with 802.1x problem

polecats wrote:
OK, I'm back. Now I've got the EAP-MD5 auth to work Win2k8Srv - GS108T - XP client.
Hello, What settings did you use on all three for making this work? For now, I would settle for EAP-MD5. Grtz - Will
Message 7 of 8
polecats
Aspirant

Re: GS108T port authentication with 802.1x problem

NogNeetMachinaal wrote:
Hello,

What settings did you use on all three for making this work?
For now, I would settle for EAP-MD5.


Grtz - Will


You have to unlock EAP-MD5 in 2008 Server and then choose it in Network Policy Server as authentication option.

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64...

I think they have removed it in Server 2008 R2 though.
Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 12625 views
  • 0 kudos
  • 4 in conversation
Announcements