Sie sind auf Seite 1von 15

Configuring IAS to work with Alcatel 802.1x.

This document explains how to configure a user that can work for EAP-MD5 authentication with Alcatel AOS based switches. Internet Authentication Service (basic configuration)
Right Mouse on "Clients" and select "New Client"

Add New Switch, give it a friendly name and select Radius as the protocol. Click Next.

Type in the IP address of the Switch you are adding. Click the box for "Client must always send the signature attribute in the request. Enter the same password you have configured for the switch shared secret. Click on the Finish Button.

Now, right mouse on "Remote Access Policy" and select New Remote Access Policy.

Enter a Policy Name.

Add a Condition to match for the client.

Add Attribute Windows Group from the list. You will also need to add NAS-IP-Address. NAS-IP-Address is the IP address of the switch. You can also enter 133.2.253.* if your switch IP is 133.2.253.254.

Once you add Windows-Groups, it will bring another window to select type of Groups. Select Domain Users and click add. You can now

click OK to exit and go to permission setup menu.

Select "Grant Remote Access"

Select the Edit Profile button and see selections below.

Switch Properties

Remove the Standard Parameters and Select something like below. Click the add button.

Scroll down to the Vendor Specific Attributes. Click "Add"

Select the Add button.

Select "Enter Vendor Code: = 800", change to "Yes, It Conforms" and select Configure attributes.

Vendor-assigned attribute number is 1 = VLAN ID Attribute format = Decimal Attribute value = 4, port to be moved to vlan 4.

These are the default settings.

Uncheck everything but Extensible Authentication Protocol.

Change below if using DHCP. However, it is advisable to use static IP addresses until working.

Click Ok button.

Select Finish button.

Now Lets create a user on the Active Directory Server. 1) Launch Active Directory Users and computers from the Administrative tools

2) Right click on the users and select new user. This will launch New Object- user window. Please enter all required information and click next.

3) Enter Password and select check boxes as per the requirement. Click next. Click finish to exit from new user creation menu.

4) You will now see the new user in the list. Right click on the user and select properties.

5) Under the Dial-in Access select Allow-access for Remote access Permission.

6) Under the member of section please add below two entries.

Additional NOTES: Reversibly Encrypted Passwords (CHAP) ... The current user passwords are not stored in a reversibly encrypted form by default and are not automatically changed. You must either manually reset the users password or set the users passwords to be changed the next time the user logs on to the LAN. This must be done for each user who will be authenticating via IAS. Once the password is changed, it is stored in a reversibly encrypted form. If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on with a remote access connection using CHAP. Users cannot change passwords during the authentication process when using CHAP. The logon attempt will fail. To enable reversibly encrypted passwords (CHAP) in a domain (Active Directory server) Open Active Directory Users and Computers

In the console tree, double-click Active Directory Users and Computers, right-click the domain name, and then click Properties. On the Group Policy tab, click Default Domain Policy, and then click Edit. Click on Security settings. Click on Accounting Policies. Click Password Policies. In the details pane, double-click "Store password using reversible encryption for all users in the domain". Click Enabled and then click OK. Reset the user password as indicated above.
To enable reversibly encrypted passwords (CHAP) in a domain (stand-alone server) Start -> Run -> gpedit.msc In the console tree, select Computer Configuration -> Windows Settings -> Security Settings -> Account Policy-> Password Policy Enable "Store password using reversible encryption"

Check with the Windows Event Viewer -> System Log for troubleshooting.

Example: Below log message tells us that reversibly encrypted passwords (CHAP) does not exist for user Bhavesh. Following above procedure to configure Reversibly Encrypted Password can fix this problem.
User BPATEL@TESTPC1.COM was denied access. Fully-Qualified-User-Name = testpc1.com/Users/bhavesh patel NAS-IP-Address = 133.2.253.254 NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Client-Friendly-Name = 7700 Client-IP-Address = 133.2.253.254 NAS-Port-Type = <not present> NAS-Port = 5 Policy-Name = switch Authentication-Type = EAP EAP-Type = <undetermined> Reason-Code = 19 Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account.

Written By: Bhavesh Patel.

Das könnte Ihnen auch gefallen