- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: GS748T no radius authentication
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a Windows Server 2012 configured with NPS and is working fine with WiFi access points.
I'm trying to configure my GS748T to authenticate EAP with the server. What I've done so far;
Updated the firmware to the latest version
Configured the Radius server settings in the switch (with and without a shared key) to the Windows Server IP address
Configured the Accounting server
Set the port connected to the server as Active
Set Port Authentication to Enabled
I've also tried vlans
Configured workstations through Group Policy to use Wired Network Policies (IEEE 802.3)
If I use a network monitor, I can see the switch trying to authenticate the Admin user when I turn on 'Radius - Local - None'. But the stats for Radius server all remain at 0.
When I look at Port Authentication - Advanced, it states its connecting. The Monitor also displays EAP frames.
From tools, I can ping the radius server.
The firewall is disabled on the server and the WiFi access points are using the Radius server fine using the default ip port.
Any ideas?
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
** Solved **
One thing I overlooked. Windows 7 and onwards have a service ' Wired AutoConfig' which is set to manual as default.
Set this to automatic and it works perfectly!
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
Hi, I have same problem..no way to run Radius authentication on ports. My Radius server is on Windows server 2008 R2. No information in log on Radius server. I think, that I try everything.. Only thing that works is, when I set Radius on Authentication list. Than I see that switch is trying to authenticate "admin" user on Radius server when I try to login to admin on switch. So in this case it works(but is bad, because of admin name)..but no way to run port authentication. Is there someone with smart switch - newest fw(24) - run port authentication and its ok? Maybe its fw problem..It makes me crazy 😕
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
Hi @PdClark / @George_58,
Welcome to the community! 🙂
I am not sure if this will help. Let me share the forum link below and it might help:
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
Hi Dane
Thanks for the reply.
I followed the link and sub-links on the articles and I've tried all the settings which were listed, with no sucsess.
The only time the switch contacts the Radius server is for authentication of the managment console. At no point does it try to contact the server for 802.1x authentication.
I've run a network monitor on the radius server and the only packets received from the switch are those from the console authentication.
I've checked the logs on the switch and there's nothing in there.
Very frustrating
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
It seems, that problem is, that Smart switches use only PAP and MD5..and it doesnt work any more with Windows. Is this good answer?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
In Port Authentication - Advanced it states EAP Protocol version 1, which I belive to be EAP-TTLS1.
I understand you can encapsulate PAP in EAP-TTLS1, which is what I've done dor our laptops 801.3 network policy.
But what i'm really confused with is that the switch doesn't send any data to the Radius server unless it's to authenticate the console logon.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
I came across this article;
https://kb.netgear.com/188/What-is-802-1x-security-authentication
This confirms that the switch should pass the authentication. But it's not!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
** Solved **
One thing I overlooked. Windows 7 and onwards have a service ' Wired AutoConfig' which is set to manual as default.
Set this to automatic and it works perfectly!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
So you use EAP-TTLS1 on smart switch and port authentication work ok?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
Yep, although I've settled for certificate authentication.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
Hi, maybe there is some difference between 748T and 728TP which I have. I didnt see any information about protocol version in Port Authentication - Advanced. I have testing NTB with Windows 10,and Wired auto config is running. But still no informations are send by switch to Radius server. I have another problem, that Radius server authenticate admin user of switch(to log to switch), but switch write me "Invalid password, please try again" message. 30 Jul 2018 10:11:20%AAA-W-REJECT: New http connection, source 192.168.2.139 destination 192.168.2.3 REJECTED . On windows server log is everything ok(user was authenticated and have all access).. Do you have any ideal?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
The 'Admin' user in the event logs is a red herring and misleading. It's trying to authenticate the NetGear console logon with the Radius server.
If you install Microsoft Network Monitor 3.4 onto your Radius server and apply a filter just for the IP address of the switch, you'll see all the traffic from the switch.
When the switch tries to pass through the workstation authentication, you'll see traffic with EAP protocol.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
But there is no traffic from workstation.. Do you use some certificate which you record to switch? Or you only set Radius server IP, secret and
in 802.1x Configuration set Port Based Authentication State as enabled and set port which must be untrusted(for authentication).
I set authentation for port 15. When I plug out and in cable, in switch log is:
30 Jul 2018 11:06:28%STP-W-PORTSTATUS: g15: STP status Forwarding |
30 Jul 2018 11:06:24%LINK-I-Up: g15 |
30 Jul 2018 11:06:20%LINK-W-Down: g15 |
Communation is blocked, no info in Microsoft network monitor on Radius server side. On workstation I set 802.1x, Microsoft EAP-TTLS, use PAP, and valid credits. No certificate.
second problem:
Authentication List is only for loging to switch console, so it doesnt matter if it is on? But when I try to use it..on Radius side is everythink OK, but Switch send info about bad password. Is there some attribute in Radius message, which is really important for Netgear switches?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
From my configuration;
On the switch, keep the Authentication List to Radius, Local, None. It enables all authentication to the Radius server including the console logon.
In Group Policy, set the wired config to use 'Smartcard or other certificate' and 'Computer only' authentication.
On the properties of 'smartcard or other cert', select 'Use a cert on my computer' click Advanced and select the root certificate issued from your CA.
On your NPS server, add the switch as a Radius client, create a 'Network Request' policy based on Domain Computers (or any other group for your computers) and a 'Client Friendly name'
Add a Network Policy adding the same group of computers and EAP type.
That should get you going. Tweek NPS to improve the constraints.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: GS748T no radius authentication
No way 😕 . Problem 1 - not working and problem 2 not working..
Problem 1 - authentication to admin console. NPS server get request from switch and accept it - averything seems ok. But switch not allow to log in - why?
Problem 2 - any data on NPS server from workstation. It seems that no data go thru switch to NPS server. Why? Where can I find any information about this? In log on switch there is no datas about EAP from workstation.Only
03 Aug 2018 10:31:40%STP-W-PORTSTATUS: g15: STP status Forwarding |
03 Aug 2018 10:31:36%LINK-I-Up: g15 |
03 Aug 2018 10:31:31%LINK-W-Down: g15 |
It is problem of Radius attributs? Is there any document where can I find info about atributs which Netgear "must receive"?
I have .cer file from ma domain controller, but it contains no private key.So must I make new certificate, e.g. with Openssl, whitch will hace Public and Private keys?
Did you setup certificate on Netgear switch (Security/Access/HTTPS/Certificate management)? Or it can be blank.. sorry for too many questions, but I'am not network proffesional..