How to setup Microsoft IAS (radius) for 3Com switches authentication

I need step by step instruction on how to configure Microsoft IAS server and 3Com switches so they can be authenticated against the RADIUS service. I already have IAS configured for Cisco routers and switches (thanks to the help I receive here). I tried to duplicating the Cisco remote access policy with the 3com switches but it didn't work.
ecajigasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
> I tried to duplicating the Cisco remote access policy with the 3com switches but it didn't work.

which model of 3com? how did you try the "duplicating"??
0
ecajigasAuthor Commented:
bba0

The switches are:

4500
4500G
5500

All of them use the same "operating system". And the commands are the same for all of them. At this moment I'm just trying with a 4500 that I put for testing purposes.

I really need to get this working. If I can not authenticate the 3Com with radius, authenticating the cisco units will be academic.
0
ecajigasAuthor Commented:
For the Cisco devices I followed the procedure described here:

http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/

and it worked perfectly.

I repeated those steps but adding a second policy at the remote access policies section for the 3Com switches.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

bbaoIT ConsultantCommented:
sorry for replying late.

there is a sample about 4500 RADIUS here, hope it helps.

3com 4500 series & Win2k3 RADIUS question
http://social.technet.microsoft.com/Forums/en/winserverPN/thread/3e048ad7-225d-4f3d-98d2-6a175b27d577

BTW, what's the result of "display radius" from the 4500 switch?

regards,
bbao
0
ecajigasAuthor Commented:
bbao,

Here is output from the switch:
[3COMTESTSW]display radius
------------------------------------------------------------------

SchemeName  =system                           Index=0    Type=extended
Primary Auth IP  =XXX.XXX.XXX.XXX  Port=1812   State=active
Primary Acct IP  =127.0.0.1        Port=1646   State=active
Second  Auth IP  =0.0.0.0          Port=1812   State=block
Second  Acct IP  =0.0.0.0          Port=1813   State=block
Auth Server Encryption Key= XXXXXXXXXX
Acct Server Encryption Key= 3com
Accounting method = required
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts       =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min)                             =5
Username format                                 =without-domain
Data flow unit                                  =Byte
Packet unit                                     =1


------------------------------------------------------------------

SchemeName  =XXXX                             Index=1    Type=extended
Primary Auth IP  =XXX.XXX.XXX.XXX  Port=1812   State=active
Primary Acct IP  =0.0.0.0          Port=1813   State=block

------------------------------------------------------------------

Total 2 RADIUS scheme(s). 2 listed

Open in new window

0
bbaoIT ConsultantCommented:
1. it seems that you have changed the default system scheme to use an external RADIUS server, which is not recommended.

2. a RADIUS scheme will not become active unless an accounting server is also defined. currently you haven't assigned the Primary Acct server though its state is active.

3. if you don't have an accounting server, then the RADIUS scheme needs to have accounting set to "optional"

4. determine the accounting port number used by IAS and make sure the same port number is given in the 4500's RADIUS settings.

5. make sure the shared secrets of IAS are same as that Encryption Keys given in the 4500's RADIUS settings.

finally, your 4500's RADIUS configuration should read like this:

radius scheme system
radius scheme XXXX
server-type standard
primary authentication XXX.XXX.XXX.XXX
primary accounting XXX.XXX.XXX.XXX
secondary authentication YYY.YYY.YYY.YYY
accounting optional
key authentication XXXXXXXXXX
key accounting XXXXXXXXXX
user-name-format without-domain
#
domain XXXX
scheme radius-scheme XXXX
0
ecajigasAuthor Commented:
Please cancel deletion request until suggestion provided by BBAO are tested.
0
ecajigasAuthor Commented:
bba0

This is how the configuratio look now:

radius scheme system
 server-type standard
radius scheme XXXX
 primary authentication XXX.XXX.XXX.XXX
 primary accounting XXX.XXX.XXX.XXXX
 accounting optional
 key authentication XXXXXXXX
 key accounting prpp XXXXXXXX
 user-name-format without-domain
#
domain XXXX
 scheme radius-scheme XXXX
domain system

Here is the output from display radius:

[3COMTESTSW]disp radius
------------------------------------------------------------------

SchemeName  =system                           Index=0    Type=standard
Primary Auth IP  =127.0.0.1        Port=1645   State=active
Primary Acct IP  =127.0.0.1        Port=1646   State=active
Second  Auth IP  =0.0.0.0          Port=1812   State=block
Second  Acct IP  =0.0.0.0          Port=1813   State=block
Auth Server Encryption Key= 3com
Acct Server Encryption Key= 3com
Accounting method = required
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts       =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min)                             =5
Username format                                 =without-domain
Data flow unit                                  =Byte
Packet unit                                     =1


------------------------------------------------------------------

SchemeName  =prpa                             Index=1    Type=standard
Primary Auth IP  =130.200.100.131  Port=1812   State=active
Primary Acct IP  =130.200.100.131  Port=1813   State=active
Second  Auth IP  =0.0.0.0          Port=1812   State=block
Second  Acct IP  =0.0.0.0          Port=1813   State=block
Auth Server Encryption Key= prp44cc3ss
Acct Server Encryption Key= prpp44cc3ss
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts       =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min)                             =5
Username format                                 =without-domain
Data flow unit                                  =Byte
Packet unit                                     =1


------------------------------------------------------------------

Total 2 RADIUS scheme(s). 2 listed

At the IAS server I have two Remote Access Policies one for the Cisco units and one for the 3COM. When configuring the Multivalued Attribute Information of the policie what value do I have to use? For the Cicos I have shell:priv-lvl=15.
0
bbaoIT ConsultantCommented:
didn't find the vendor specific information for 3COM but however here is an example from Packeteer for your reference.

Configure Windows IAS on Windows Server 2003
https://bto.bluecoat.com/packetguide/8.3/info/configure-radius-ias-2003.htm

hope it helps,
bbao
0
ecajigasAuthor Commented:
bbao,

That document basicly describe the procedure that I followed to configure the cisco devices but still I need the 3com specific value for this to work and that's exactly what I can not find.


Any other suggestion?

0
bbaoIT ConsultantCommented:
Did you read this before? P380.

3Com® Switch 4500 Family Configuration Guide Version 03.02.00
http://support.3com.com/documents/switches/4500/3Com_Switch_4500_Configuration_Guide_V03.02.00.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ecajigasAuthor Commented:
bbao,

Yes, I have that document for the 3com 4500 and the 5500. From there I got the configuration for the switch that I modified following your suggestions.

What I need to test that configuration is the MS IAS side.
0
ecajigasAuthor Commented:
bbao,

You were right I was wrong it was the version of the document that I have.

Thanks.
0
ecajigasAuthor Commented:
I will check the documentation and I will let you know.
0
ecajigasAuthor Commented:
bbao,

I will award the points and if I found a problem with the configuration I will create another question.
0
bbaoIT ConsultantCommented:
> You were right I was wrong it was the version of the document that I have.

?? did you mean "the document that I DON'T have"??

thanks for the points and grade.
0
ecajigasAuthor Commented:
I do have and read all the user and reference guides for the 3Com 4500 and 5500. The version of the document you provided is older. If you notice the instructions are for windows 2000. On the documentation that I have there is no mention on how to configure RADIUS servers other than the 3Com Network Access Manager program that they sell.

The document you provide have the specifi vendor value for the MS IAS configuration. I will use that with the setup and if I encounter a problem I will open a new question.

best regards
0
ecajigasAuthor Commented:
bbao,

I posted a new question related to this topic please check it out.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_26184241.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.