ecajigas
asked on
How to setup Microsoft IAS (radius) for 3Com switches authentication
I need step by step instruction on how to configure Microsoft IAS server and 3Com switches so they can be authenticated against the RADIUS service. I already have IAS configured for Cisco routers and switches (thanks to the help I receive here). I tried to duplicating the Cisco remote access policy with the 3com switches but it didn't work.
ASKER
bba0
The switches are:
4500
4500G
5500
All of them use the same "operating system". And the commands are the same for all of them. At this moment I'm just trying with a 4500 that I put for testing purposes.
I really need to get this working. If I can not authenticate the 3Com with radius, authenticating the cisco units will be academic.
The switches are:
4500
4500G
5500
All of them use the same "operating system". And the commands are the same for all of them. At this moment I'm just trying with a 4500 that I put for testing purposes.
I really need to get this working. If I can not authenticate the 3Com with radius, authenticating the cisco units will be academic.
ASKER
For the Cisco devices I followed the procedure described here:
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
and it worked perfectly.
I repeated those steps but adding a second policy at the remote access policies section for the 3Com switches.
http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/
and it worked perfectly.
I repeated those steps but adding a second policy at the remote access policies section for the 3Com switches.
sorry for replying late.
there is a sample about 4500 RADIUS here, hope it helps.
3com 4500 series & Win2k3 RADIUS question
http://social.technet.microsoft.com/Forums/en/winserverPN/thread/3e048ad7-225d-4f3d-98d2-6a175b27d577
BTW, what's the result of "display radius" from the 4500 switch?
regards,
bbao
there is a sample about 4500 RADIUS here, hope it helps.
3com 4500 series & Win2k3 RADIUS question
http://social.technet.microsoft.com/Forums/en/winserverPN/thread/3e048ad7-225d-4f3d-98d2-6a175b27d577
BTW, what's the result of "display radius" from the 4500 switch?
regards,
bbao
ASKER
bbao,
Here is output from the switch:
Here is output from the switch:
[3COMTESTSW]display radius
------------------------------------------------------------------
SchemeName =system Index=0 Type=extended
Primary Auth IP =XXX.XXX.XXX.XXX Port=1812 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= XXXXXXXXXX
Acct Server Encryption Key= 3com
Accounting method = required
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
------------------------------------------------------------------
SchemeName =XXXX Index=1 Type=extended
Primary Auth IP =XXX.XXX.XXX.XXX Port=1812 State=active
Primary Acct IP =0.0.0.0 Port=1813 State=block
------------------------------------------------------------------
Total 2 RADIUS scheme(s). 2 listed
1. it seems that you have changed the default system scheme to use an external RADIUS server, which is not recommended.
2. a RADIUS scheme will not become active unless an accounting server is also defined. currently you haven't assigned the Primary Acct server though its state is active.
3. if you don't have an accounting server, then the RADIUS scheme needs to have accounting set to "optional"
4. determine the accounting port number used by IAS and make sure the same port number is given in the 4500's RADIUS settings.
5. make sure the shared secrets of IAS are same as that Encryption Keys given in the 4500's RADIUS settings.
finally, your 4500's RADIUS configuration should read like this:
radius scheme system
radius scheme XXXX
server-type standard
primary authentication XXX.XXX.XXX.XXX
primary accounting XXX.XXX.XXX.XXX
secondary authentication YYY.YYY.YYY.YYY
accounting optional
key authentication XXXXXXXXXX
key accounting XXXXXXXXXX
user-name-format without-domain
#
domain XXXX
scheme radius-scheme XXXX
2. a RADIUS scheme will not become active unless an accounting server is also defined. currently you haven't assigned the Primary Acct server though its state is active.
3. if you don't have an accounting server, then the RADIUS scheme needs to have accounting set to "optional"
4. determine the accounting port number used by IAS and make sure the same port number is given in the 4500's RADIUS settings.
5. make sure the shared secrets of IAS are same as that Encryption Keys given in the 4500's RADIUS settings.
finally, your 4500's RADIUS configuration should read like this:
radius scheme system
radius scheme XXXX
server-type standard
primary authentication XXX.XXX.XXX.XXX
primary accounting XXX.XXX.XXX.XXX
secondary authentication YYY.YYY.YYY.YYY
accounting optional
key authentication XXXXXXXXXX
key accounting XXXXXXXXXX
user-name-format without-domain
#
domain XXXX
scheme radius-scheme XXXX
ASKER
Please cancel deletion request until suggestion provided by BBAO are tested.
ASKER
bba0
This is how the configuratio look now:
radius scheme system
server-type standard
radius scheme XXXX
primary authentication XXX.XXX.XXX.XXX
primary accounting XXX.XXX.XXX.XXXX
accounting optional
key authentication XXXXXXXX
key accounting prpp XXXXXXXX
user-name-format without-domain
#
domain XXXX
scheme radius-scheme XXXX
domain system
Here is the output from display radius:
[3COMTESTSW]disp radius
--------------------------
SchemeName =system Index=0 Type=standard
Primary Auth IP =127.0.0.1 Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= 3com
Acct Server Encryption Key= 3com
Accounting method = required
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
--------------------------
SchemeName =prpa Index=1 Type=standard
Primary Auth IP =130.200.100.131 Port=1812 State=active
Primary Acct IP =130.200.100.131 Port=1813 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= prp44cc3ss
Acct Server Encryption Key= prpp44cc3ss
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
--------------------------
Total 2 RADIUS scheme(s). 2 listed
At the IAS server I have two Remote Access Policies one for the Cisco units and one for the 3COM. When configuring the Multivalued Attribute Information of the policie what value do I have to use? For the Cicos I have shell:priv-lvl=15.
This is how the configuratio look now:
radius scheme system
server-type standard
radius scheme XXXX
primary authentication XXX.XXX.XXX.XXX
primary accounting XXX.XXX.XXX.XXXX
accounting optional
key authentication XXXXXXXX
key accounting prpp XXXXXXXX
user-name-format without-domain
#
domain XXXX
scheme radius-scheme XXXX
domain system
Here is the output from display radius:
[3COMTESTSW]disp radius
--------------------------
SchemeName =system Index=0 Type=standard
Primary Auth IP =127.0.0.1 Port=1645 State=active
Primary Acct IP =127.0.0.1 Port=1646 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= 3com
Acct Server Encryption Key= 3com
Accounting method = required
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
--------------------------
SchemeName =prpa Index=1 Type=standard
Primary Auth IP =130.200.100.131 Port=1812 State=active
Primary Acct IP =130.200.100.131 Port=1813 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
Auth Server Encryption Key= prp44cc3ss
Acct Server Encryption Key= prpp44cc3ss
Accounting method = optional
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
--------------------------
Total 2 RADIUS scheme(s). 2 listed
At the IAS server I have two Remote Access Policies one for the Cisco units and one for the 3COM. When configuring the Multivalued Attribute Information of the policie what value do I have to use? For the Cicos I have shell:priv-lvl=15.
didn't find the vendor specific information for 3COM but however here is an example from Packeteer for your reference.
Configure Windows IAS on Windows Server 2003
https://bto.bluecoat.com/packetguide/8.3/info/configure-radius-ias-2003.htm
hope it helps,
bbao
Configure Windows IAS on Windows Server 2003
https://bto.bluecoat.com/packetguide/8.3/info/configure-radius-ias-2003.htm
hope it helps,
bbao
ASKER
bbao,
That document basicly describe the procedure that I followed to configure the cisco devices but still I need the 3com specific value for this to work and that's exactly what I can not find.
Any other suggestion?
That document basicly describe the procedure that I followed to configure the cisco devices but still I need the 3com specific value for this to work and that's exactly what I can not find.
Any other suggestion?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bbao,
Yes, I have that document for the 3com 4500 and the 5500. From there I got the configuration for the switch that I modified following your suggestions.
What I need to test that configuration is the MS IAS side.
Yes, I have that document for the 3com 4500 and the 5500. From there I got the configuration for the switch that I modified following your suggestions.
What I need to test that configuration is the MS IAS side.
ASKER
bbao,
You were right I was wrong it was the version of the document that I have.
Thanks.
You were right I was wrong it was the version of the document that I have.
Thanks.
ASKER
I will check the documentation and I will let you know.
ASKER
bbao,
I will award the points and if I found a problem with the configuration I will create another question.
I will award the points and if I found a problem with the configuration I will create another question.
> You were right I was wrong it was the version of the document that I have.
?? did you mean "the document that I DON'T have"??
thanks for the points and grade.
?? did you mean "the document that I DON'T have"??
thanks for the points and grade.
ASKER
I do have and read all the user and reference guides for the 3Com 4500 and 5500. The version of the document you provided is older. If you notice the instructions are for windows 2000. On the documentation that I have there is no mention on how to configure RADIUS servers other than the 3Com Network Access Manager program that they sell.
The document you provide have the specifi vendor value for the MS IAS configuration. I will use that with the setup and if I encounter a problem I will open a new question.
best regards
The document you provide have the specifi vendor value for the MS IAS configuration. I will use that with the setup and if I encounter a problem I will open a new question.
best regards
ASKER
bbao,
I posted a new question related to this topic please check it out.
https://www.experts-exchange.com/questions/26184241/3Com-switches-user-authenticated-by-radius-not-getting-admin-priv-and-no-access-available-with-radius-service-down.html
I posted a new question related to this topic please check it out.
https://www.experts-exchange.com/questions/26184241/3Com-switches-user-authenticated-by-radius-not-getting-admin-priv-and-no-access-available-with-radius-service-down.html
which model of 3com? how did you try the "duplicating"??