This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I have a Windows Server 2012 configured with NPS and is working fine with WiFi access points.
I'm trying to configure my GS748T to authenticate EAP with the server. What I've done so far;
Updated the firmware to the latest version
Configured the Radius server settings in the switch (with and without a shared key) to the Windows Server IP address
Configured the Accounting server
Set the port connected to the server as Active
Set Port Authentication to Enabled
I've also tried vlans
Configured workstations through Group Policy to use Wired Network Policies (IEEE 802.3)
If I use a network monitor, I can see the switch trying to authenticate the Admin user when I turn on 'Radius - Local - None'. But the stats for Radius server all remain at 0.
When I look at Port Authentication - Advanced, it states its connecting. The Monitor also displays EAP frames.
From tools, I can ping the radius server.
The firewall is disabled on the server and the WiFi access points are using the Radius server fine using the default ip port.
Hi, I have same problem..no way to run Radius authentication on ports. My Radius server is on Windows server 2008 R2. No information in log on Radius server. I think, that I try everything.. Only thing that works is, when I set Radius on Authentication list. Than I see that switch is trying to authenticate "admin" user on Radius server when I try to login to admin on switch. So in this case it works(but is bad, because of admin name)..but no way to run port authentication. Is there someone with smart switch - newest fw(24) - run port authentication and its ok? Maybe its fw problem..It makes me crazy 😕
Model: GS728TP|ProSAFE 24-port PoE Smart Switch with 8 PoE+-port
I followed the link and sub-links on the articles and I've tried all the settings which were listed, with no sucsess.
The only time the switch contacts the Radius server is for authentication of the managment console. At no point does it try to contact the server for 802.1x authentication.
I've run a network monitor on the radius server and the only packets received from the switch are those from the console authentication.
I've checked the logs on the switch and there's nothing in there.
Hi, maybe there is some difference between 748T and 728TP which I have. I didnt see any information about protocol version in Port Authentication - Advanced. I have testing NTB with Windows 10,and Wired auto config is running. But still no informations are send by switch to Radius server. I have another problem, that Radius server authenticate admin user of switch(to log to switch), but switch write me "Invalid password, please try again" message. 30 Jul 2018 10:11:20%AAA-W-REJECT: New http connection, source 192.168.2.139 destination 192.168.2.3 REJECTED . On windows server log is everything ok(user was authenticated and have all access).. Do you have any ideal?
The 'Admin' user in the event logs is a red herring and misleading. It's trying to authenticate the NetGear console logon with the Radius server.
If you install Microsoft Network Monitor 3.4 onto your Radius server and apply a filter just for the IP address of the switch, you'll see all the traffic from the switch.
When the switch tries to pass through the workstation authentication, you'll see traffic with EAP protocol.
But there is no traffic from workstation.. Do you use some certificate which you record to switch? Or you only set Radius server IP, secret and
in 802.1x Configuration set Port Based Authentication State as enabled and set port which must be untrusted(for authentication).
I set authentation for port 15. When I plug out and in cable, in switch log is:
30 Jul 2018 11:06:28%STP-W-PORTSTATUS: g15: STP status Forwarding
30 Jul 2018 11:06:24%LINK-I-Up: g15
30 Jul 2018 11:06:20%LINK-W-Down: g15
Communation is blocked, no info in Microsoft network monitor on Radius server side. On workstation I set 802.1x, Microsoft EAP-TTLS, use PAP, and valid credits. No certificate.
second problem:
Authentication List is only for loging to switch console, so it doesnt matter if it is on? But when I try to use it..on Radius side is everythink OK, but Switch send info about bad password. Is there some attribute in Radius message, which is really important for Netgear switches?
On the switch, keep the Authentication List to Radius, Local, None. It enables all authentication to the Radius server including the console logon.
In Group Policy, set the wired config to use 'Smartcard or other certificate' and 'Computer only' authentication.
On the properties of 'smartcard or other cert', select 'Use a cert on my computer' click Advanced and select the root certificate issued from your CA.
On your NPS server, add the switch as a Radius client, create a 'Network Request' policy based on Domain Computers (or any other group for your computers) and a 'Client Friendly name'
Add a Network Policy adding the same group of computers and EAP type.
That should get you going. Tweek NPS to improve the constraints.
No way 😕 . Problem 1 - not working and problem 2 not working..
Problem 1 - authentication to admin console. NPS server get request from switch and accept it - averything seems ok. But switch not allow to log in - why?
Problem 2 - any data on NPS server from workstation. It seems that no data go thru switch to NPS server. Why? Where can I find any information about this? In log on switch there is no datas about EAP from workstation.Only
03 Aug 2018 10:31:40%STP-W-PORTSTATUS: g15: STP status Forwarding
03 Aug 2018 10:31:36%LINK-I-Up: g15
03 Aug 2018 10:31:31%LINK-W-Down: g15
It is problem of Radius attributs? Is there any document where can I find info about atributs which Netgear "must receive"?
I have .cer file from ma domain controller, but it contains no private key.So must I make new certificate, e.g. with Openssl, whitch will hace Public and Private keys?
Did you setup certificate on Netgear switch (Security/Access/HTTPS/Certificate management)? Or it can be blank.. sorry for too many questions, but I'am not network proffesional..
