Using EAP with Microsoft
RADIUS Authentication
A total guide to setting up a
Microsoft environment with Nortel
Networks products to demonstrate
EAP & administrative authentication
Version 1.0
May 2002
(Scott Fincher – Intelligent Internet Aust/NZ)
Table of Contents
INTRODUCTION ..................................................................................................................... 3
USE OF TERMS ..................................................................................................................... 3
CODE LEVELS USED IN THIS DOCUMENT ......................................................................... 3
EXTENSIBLE AUTHENTICATION PROTOCOL OVER LAN (EAPOL) ................................. 4
WHAT IT IS AND HOW IT WORKS................................................................................................ 4
802.1X ETHERNET FRAME ...................................................................................................... 4
802.1X ETHERNET FRAME ...................................................................................................... 5
EAP AND RADIUS RELATED RFCS......................................................................................... 5
SETTING UP A MICROSOFT WINDOWS 2000 SERVER ..................................................... 6
TIPS AND HINTS FOR SETTING UP A W2K SERVER ..................................................................... 6
CONFIGURATION AND SETUP USED IN THIS DOCUMENT .............................................................. 6
CONFIGURING THE W INDOWS 2000 SERVER ............................................................................ 7
SETTING UP IAS..................................................................................................................... 9
SETTING UP THE ROUTING & REMOTE ACCESS SERVICE ......................................................... 16
SETTING UP ACTIVE DIRECTORY ............................................................................................ 18
Creating a user account and setting up authentication via EAP ..................................... 18
SETTING UP A MICROSOFT WINDOWS XP DESKTOP .................................................... 22
TIPS AND HINTS FOR SETTING UP W INDOWS XP ..................................................................... 22
ENABLING EAP ON W INDOWS XP ......................................................................................... 22
SETTING UP A NORTEL NETWORKS BAYSTACK/BPS SWITCH ................................... 24
RADIUS CONFIGURATION..................................................................................................... 24
EAPOL CONFIGURATION ....................................................................................................... 25
TESTING EAP AUTHENTICATION ...................................................................................... 26
LOGGING ON TO THE DOMAIN WITH W INDOWS XP ................................................................... 26
CHECKING EAP AUTHENTICATION SUCCESS .......................................................................... 28
TIPS AND HINTS WITH EAP AUTHENTICATION ......................................................................... 29
SETTING UP AND TESTING ADMINISTRATIVE AUTHENTICATION ............................... 30
CONFIGURING A CLIENT POLICY UNDER IAS ............................................................................ 30
CREATING AN USER ACCOUNT FOR SWITCH ADMINISTRATION .................................................... 34
CONFIGURING THE BS/BPS FOR TELNET/CONSOLE RADIUS AUTHENTICATION ....................... 36
TESTING ADMINISTRATIVE AUTHENTICATION ........................................................................... 37
TIPS AND HINTS WITH AUTHENTICATION ................................................................................. 37
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 2
Introduction
The purpose of this document is to provide comprehensive information on how to setup, test
and demonstrate the use of Extensible Authentication Protocol (EAP) within a pure Microsoft
environment using Nortel Networks switches that support EAP.
The simulated Microsoft environment in this document uses Microsoft Windows 2000 Server
installed as a Domain Controller running IAS, RRAS in an Active Directory domain with the
desktop client running Microsoft Windows XP. Users/clients are authenticated using their
standard user account in Active Directory. This document also covers the setup of RADIUS
authentication for administrative functions on Baystack and Business Policy Switches.
Nortel Networks products used in the EAP setup are the Baystack 350/450 and BPS2000
Ethernet switching products.
Many general tips and hints have been provided to highlight actual experiences and issues
found while setting up and testing this environment. Additional information on EAP from
various sources/papers available within Nortel Networks has also been incorporated.
Use of Terms
The use of terms and acronyms in this document is as follows:
MS - Microsoft
W2K – Windows 2000 Server
IAS – Internet Authentication Service
RRAS – Routing and Remote Access Service
AD – Active Directory
Supplicant / Client – the EAP client on the Windows XP Desktop
Authenticator – the switch handling and relaying EAP / RADIUS requests
RADIUS Client – The device (switch) passing RADIUS requests to the
Authentication Server
Authentication Server – the RADIUS / MS Authentication Service
PAE – Port Access Entity. The s/w entity associated with each port that supports the
Authenticator or Supplicant function , ie; within the swtich.
BS – Baystack Ethernet Switch
BPS – Business Policy Switch 2000
Code levels used in this document
The software revisions of all equipment used in this document are:
Windows 2000 Server with Service Pack 1 (PC – Pentium 3, 350Mhz)
Windows XP Professional SP0 (Laptop Pentium 3, >300Mhz)
Baystack 350 Ethernet switch running v4.0 code.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 3
Extensible Authentication Protocol over LAN (EAPoL)
What it is and how it works
EAP, or IEEE 802.1X provides a mechanism for user based authentication and access to a
network infrastructure. More specifically, EAP allows the exchange of authentication
information between any end station or server connected to the switch and an authentication
server (such as a RADIUS server).
In a Microsoft domain environment, EAP clients are treated like remote access (dial-in &
VPN) users, and extends the use of RADIUS based server authentication to internal LAN
users. Until a user is successfully authenticated, the switch blocks all other (non-EAP) traffic
from being forwarded over the network.
EAP authentication methods can include the use of SecureID, PKI & Kerberos, however this
document only covers RADIUS based authentication.
EAP Message Exchange
Host BS/BPS Switch RADIUS Server
EAP (RADIUS Client)
Over Ethernet
Auth Request
Port-Start
EAPoL-Start Access Blocked
EAP-Request/Identity
EAP-Response/Identity
Radius-Access-Request
Radius-Access-Challenge
EAP-Request (credentials)
EAP-Response (credentials)
Radius-Access-Request
Radius-Access-Accept
EAP-Success
Access Allowed
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 4
802.1X Ethernet Frame
6 bytes 6 bytes 2 bytes 1 byte 1 byte 2 bytes n bytes
Packet
Dest. MAC Source Type Protocol Packet Body
Packet
0180C200000x MAC 8180 Version 01 Type Length Body
00 EAP-Packet * No packet
01 EAPOL-Start * body field
02 EAPOL-Logoff *
03 EAPOL-Key
04 EAPOL-Encapsulated-ASF-Alert
1 byte 1 byte 2 bytes n bytes
Code Identifier Length Data
Packet body field
1 Request
2 Response
1 byte 2 bytes 8 bytes 16 bytes 1 byte 16 bytes n bytes
3 Success
4 Failure Descriptor Key Relay Key Key
Key IV Key
Type Length Counter Index Signature
Packet body field
EAP and RADIUS related RFCs
RFC2284 – PPP Extensible Authentication Protocol
RFC2716 – PPP EAP Transport Level Security (TLS) Authentication Protocol
RFC2865 (Obsoletes RFC2138) – RADIUS
RFC2548 – Microsoft Vendor specific RADIUS Attributes
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 5
Setting up a Microsoft Windows 2000 Server
Tips and Hints for setting up a W2K Server
When installing and setting up MS W2K Server, be sure to correctly choose some of the
following information:
Native or Mixed Mode server operation. Choose Native Mode if only supporting
Windows 2000 and XP workstation users. Mixed mode enables support for “pre-
Windows 2000 workstation users”.
Workgroup, Domains and Active Directory. Do not choose options to install the W2K
server as a ”Workgroup” server but as a “Domain Controller”. This means that the
server will also need to run DNS, so a server and domain name must be entered.
Note: the “Server name” will be automatically generated if you do not enter a name.
Use the password of „password‟ for Administrators and Users for testing purposes to
avoid confusion.
Enable DHCP and set a scope for clients when they login. Optionally enter W2K
server IP address as DNS server & IP gateway address. Optionally set WINS server
info (not used in this test).
Active Directory users being authenticated by IAS need to be members of the RAS &
IAS servers Security Group.
Order of configuration setup; IAS, RAS & then Active Directory.
IAS must be “registered” with Active Directory to enable authentication of EAP, VPN
& RAS users to their Active Directory accounts.
Configuration and Setup used in this document
Server name: NORTEL-S2GVEX1I (Domain Controller)
IP address: 10.10.10.50
Active Directory Domain: testw2k.nortel.com
DHCP scope: 10.10.10.100/24 to 10.10.10.254/24
WINS Server: information not used
RADIUS Port numbers: 1645 & 1803.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 6
Configuring the Windows 2000 Server
Once Windows 2000 server software has been successfully loaded, and you have setup
the administrator, entered a password and booted up the W2K server, you need to
configure and setup services you wish to run on the server. The “Configure Your Server”
screen can be used to run various install wizards for Active Directory, DHCP, DNS, IAS &
RRAS. Alternatively you can perform each of these tasks manually at any time under
Control Panel > Administrative tools and select the appropriate service icons from there.
1. From the Start menu, select “Administrative Tools>Configure Your Server”. At the first
window (below), select “This is the only server in my network” for the purposes of
demonstrating EAP.
2. Enter the name for the domain that this server will exist in. Example screens below.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 7
3. Once the server domain setup has been completed, you will be prompted to complete
setting up other services by selecting a item in the left menu. Alternatively, you can
close the window and individually select to setup various services under “Control
Panel > Administrative Tools” (bottom).
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 8
Setting up IAS
Select the Internet Authentication Service configuration icon within “Administrative Tools”.
1. The first thing to do within IAS is to register it with Active Directory. Right click on the
“Internet Authentication Service (Local)” icon and select “Register Service in Active
Directory”.
2. Add a RADIUS client (the BS/BPS switch address) by right clicking on the “Clients”
folder and selecting “New Client”.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 9
3. Enter the friendly name for the BS/BPS switch – use something to identify the
particular switch this entry refers to. Enter the IP address 10.10.10.20, select “RADIUS
Standard” in the Client-Vendor window and enter the shared secret password for the
client (the same password to be entered on the switch).
4. Right click on Remote Access Policies icon (#1) and select “New Remote Access
Policy”. Enter a „Policy friendly name‟ of eapusers (#2), click “Next”, then the “Add…”
button and select the attribute Windows-Groups (#3). Click “Add”, then at the “Groups”
window click “Add” again and select the Domain Users (#4) entry in the groups list.
Click “Add” and “OK”, then OK again at the “Groups” window to return to the “Add
Remote Access Policy” window (#5). The policy created here will apply to all matching
domain users in the W2KTEST domain. Finally click “Next”, then check the “Grant
remote access permission” radio button (#6) then click “Next” and “Finish” to complete
the matching attribute characteristics of the policy.
#1
#2 #3
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 10
#4
#5
#6
*IAS policies are global for RADIUS & so a catch-all policy has been created for all „eapusers‟
users in the “TESTW2K” domain. Change the order for the „eapusers‟ policy to be first.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 11
5. The profile for the policy still needs to be modified. Double click on the eapusers entry
to display the policy properties and then click on the “Edit Profile” button (#1). Select
the „Authentication‟ tab and only check the „EAP‟ box with „MD5-Challenge‟ selected
and also check the „Encrypted Authentication (CHAP)‟ box (#2). Select the „IP‟ tab and
set the “Client may request an IP address” radio button so the EAP users can receive
an IP lease from the DHCP server after authenticating.
#1 #2
„Conditions to match‟ are the “Check list attributes” for incoming RADIUS
authentication requests and any user account in the domain “TESTW2K” will match
and cause the policy to be used.
Authentication must be selected as EAP (MD5-Challenge) and also CHAP.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 12
*EAP clients can request an IP address (using DHCP etc.) after authenticating.
6. The RADIUS return attributes for the policy still need to be modified. Select the
„Advanced‟ tab and remove the two existing default RADIUS parameters (#1). Click on
the “Add” button and select the “Tunnel-Pvt-Group-ID” parameter (#2), click “Add”
(#3), then “Add” again to enter the VLAN ID (this case = 1) for the eapuser (#4). Click
“OK” twice when done to return to the “Add Attributes” window (as in #2).
#1 #2
Tunnel-Pvt-Group-ID is the VLAN ID returned to the switch that the user is to be
placed in and will override the current switch port VLAN configuration settings. The
Port Priority (not shown) can also be sent to the switch (refer Baystack or BPS switch
user guide on EAP security & supported return attributes).
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 13
#3 #4
7. While still at the “Add Attributes” window, select the “Tunnel-Medium-Type” parameter,
click “Add” (#1), & “Add” again and select the “802 (includes all 802 media…)” attribute
(#2) then click “OK” and return back to the “Edit Dial-in Profile” window (#3).
#1 #2
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 14
#3
Resultant list of Return Attributes to the BS/BPS switch above. More attributes can be
returned to the switch based on requirements – excerpt from BS/BPS manual below.
Note on RADIUS Return Attributes:
RADIUS Return List attributes supported by the Baystack 350/450 and BPS2000 switches
are shown below – excerpt from BS/BPS user guide:
VLAN membership attributes
- Tunnel-Type: value 13, Tunnel-Type-VLAN
- Tunnel-Medium-Type: value 6, Tunnel-Medium-Type-802
- Tunnel-Private-Group-Id: ASCII value 1 to 4094 (This value used to identify
the specified VLAN)
Port Priority (vendor specific) attributes
- Vendor Id: value 562, Nortel Networks vendor-Id
- Attribute Number: value 1, Port Priority
- Attribute Value: value 0 (zero) to 7 (this value is used to indicate the port
priority value assigned to the specific user)
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 15
Setting up the Routing & Remote Access Service
The Routing and Remote Access service serves to provide IP routing functions on the server
and support of the connection of remote access users.
1. First, the server needs to be enabled and running. You can start and stop the RRA
Service by right clicking off “NORTEL-S2GVEX1I (local)” and selecting “All Tasks”
then “Start”, “Stop” or “Restart”. In this case, the RRA Service is running locally on the
W2K server.
2. Under “Administrative Tools”, select “Routing and Remote Access”. Right click on
“NORTEL-S2GVEX1I” and select “Configure & Enable Routing and Remote Access”.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 16
3. Set the operation mode for the server by right clicking off the “[server name] (local)”
icon and selecting “Properties”. Routing and/or Remote access modes can be
enabled. Under the General tab, enable only “Remote access server” mode. Select
Security tab to view and configure RADIUS Authentication and Accounting.
Click on “Authentication Methods…” button to view and select the authentication methods
globally supported by the RADIUS server.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 17
Setting up Active Directory
Under Administrative Tools, select “Active Directory Users and Computers” to add a new
user account to Active Directory. Individual users can be setup to have privileges to access
the network and to administer switches by setting up policies in IAS. Policies are created to
match the username and then provide access privileges. The setup used in this document
only uses two policies; one for the EAP user and one for the switch administrator (later on)
but these can be the same user.
Creating a user account and setting up authentication via EAP
1. Right click on “Users” folder & select “New > User”. Add the information below and use
password as the user‟s password, then click “Next” & “Finish” when complete.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 18
2. After the user eapuser has been added to Active Directory some parameters will need
to be changed for the user. Double click on the entry in the “Users” list to view the
user‟s properties, then select the “Member Of” tab and check that the user is a
member of „Domain Users‟ & „RAS and IAS Servers‟. Use the “Add” button to modify
the list if it not as shown below.
Also check the “General” tab and optionally add a description for the user.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 19
3. Select the “Account” tab and change the “Account options:” section check boxes to
enable „Password never expires‟ & „Store password using reversible encryption‟ as
shown below. The latter must be enabled for correct operation using MD5
authentication with EAP.
Select the “Dial-in” tab and set the “Control access through Remote Access Policy”
radio button. Leave all other tabs as default settings.
User account options such as store password using reversible encryption must be
enabled for EAP, which uses CHAP (with MD-5 Challenge selected) with an encrypted
password.
An EAP user is treated like a RAS or VPN user for authentication and so for Microsoft
RADIUS server authentication (with IAS), the “Control access through Remote Access
Policy” radio button must be selected for the user. (Note: this can only be selected
once the R&RA service is running).
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 20
4. From the Active Directory User list, right click on “RAS and IAS Servers” and select
“Properties”. Check the “General” and the “Members” tab that details are as below.
The Domain Controller (W2K server) must be a member of the “RAS and IAS Servers”
group as well as all individual users (or user groups) using the RAS and IAS services.
Note: Windows 2000 Servers can be set up with different Group Scopes to allow separate
groups for RAS and IAS users (with includes EAP users) to segregate them from
standard user accounts - where those users may not be able to use EAP etc… This setup
does not use a group scope.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 21
Setting up a Microsoft Windows XP desktop
Tips and Hints for setting up Windows XP
Setup at least one user to have local administrative privileges on the XP workstation.
Create that user‟s local account with the same names being used in the domain for
convenience.
The very first time that a user logs into the domain at the initial XP login window where
the user/password & domain name are entered, make sure the BS/BPS switch port
does not have EAP enabled to allow the workstation to find the domain controller (W2K
server) in order for the user‟s credentials to be cached in XP.
When EAP is setup on the switch and the XP workstation, allow several seconds for the
pop domain login to appear from the system tray.
Enabling EAP on Windows XP
1. With a PC/Laptop running Windows XP, select “Control Panel”. Double click on the
“Network Connections” icon, then right click and select “Properties” off the LAN
Connection Icon (should have screen below). Under the “General” tab, check the “Show
icon in notification area when connected” box. This will enable the popup window on the
desktop notifying you to login to the network after XP completes its start up.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 22
2. Click on the “Authentication” tab and check the “Enable network access control using
IEEE 802.1X” box. No need to check other boxes for EAP authentication unless support
for connection to non-EAP enabled switch ports in required.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 23
Setting up a Nortel Networks Baystack/BPS switch
RADIUS configuration
1. Using a console connection to the switch, from the Main Menu select “IP
Configuration/Setup“ and set the BS/BPS switch IP address to 10.10.10.20/24 and
default gateway IP address (optional) to 10.10.10.1.
2. From Main menu select “Console/Comm Port Configuration” and set the RADIUS
Server IP address to 10.10.10.50 and the shared secret password of „canberra‟. The
RADIUS UDP port number should remain unchanged.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 24
EAPoL configuration
3. From Main Menu select “Switch Configuration > EAPOL Security Configuration” and
set the following parameters:
Set the „EAPOL Administrative State‟ for the switch to “Enabled”, then select a port on
the switch that the EAP process is going operate on (example port 20 below).
Secondly, set the „Administrative Status‟ to “Auto” for the specified port. This means
that the port authorization status relies on the EAP authentication results. Leave other
values as default.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 25
Testing EAP Authentication
This section illustrates booting up the Windows XP workstation and testing the EAP login
process and checking success.
Logging on to the Domain with Windows XP
1. From a powered off state, start the Windows XP PC connected to port 20 of the
Baystack/BPS switch. At the first Windows XP login banner, enter the computer
username and password or the Domain username/password & domain name. (either
will do as XP itself can be configured to support multiple users).
2. Once Windows XP has finished starting up and the desktop screen and icons are
visible, with a few seconds (allow up to 10 seconds) a message will pop-up from the
system tray asking you to logon to the network. Refer below.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 26
3. Click on the dual PC icon one in the system tray to reveal the new login window below.
Note: the Local Area Connection status window may also appear, but just close that
window.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 27
Checking EAP Authentication Success
4. Check under “Control Panel” > “Network Connections” and view Local Area
Connection icon status (should say “Authentication Succeeded”). See below.
5. Also check that DHCP worked by clicking on the double PC icon in the System tray
and selecting the “Support” tab to see the allocated IP address and other info.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 28
6. Check and view the event viewer (Select Windows 2000 menu “Start” >
“Administrative Tasks” > “Event Viewer”. Click on “System Log” then double click on
the top event to view properties. View EAP success in the Event description window.
Tips and Hints with EAP Authentication
Below is a list of some of the things noted during EAP testing
After completing a successful EAP login to the Domain, when you log back out of
Windows XP and re-login without powering off or unplugging the Ethernet cable from
the PC you will usually not get the EAP login prompt.
After logging out of Windows XP and before re-attempting another login, either remove
and re-inset the Ethernet cable on the PC, or set the “Reinitialize Port” parameter to
“Yes” on the BS/BPS switch port that the PC is connected to. This action will cause
the EAP login system tray prompt to appear again after logging into Windows XP.
Make sure the user has successfully logged onto the Domain for the first time via a
switch port without EAP enabled. This is to allow caching of the user credentials in the
XP workstation. The very first login for a new user on the XP workstation during
startup requires the user to enter his domain login (username/password & Domain) at
which the XP workstation will attempt to find the server / domain controller without
running EAP at this point. If the XP workstation is connected to a switch port with EAP
enabled, the login will fail (ie: the workstation will never find the server). After the first
successful login, EAP can then be enabled on the switch port from that point onwards
for correct operation.
It seems to be that for stable login operation of with Windows XP‟s embedded EAP
client that the switch port must be in an initialized link state (for the PAE on the
switch).
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 29
Setting up and Testing Administrative Authentication
This section describes setting up a user for switch administration access, testing the switch
login process and checking RADIUS authentication success.
Configuring a client policy under IAS
1. Right click on Remote Access Policies icon (#1) and select “New Remote Access
Policy”. Enter a „Policy friendly name‟ of baystack (#2), click “Next”, then the “Add…”
button at the Conditions window (#3). This is where the user or group is entered as the
matching condition to allow authentication through this policy. In this section all
domain users will be allowed to administer the switch.
Note: What a server administrator should normally do is define a group of network
administrators and use a policy that only allows the users in that group access to network
devices via console or telnet.
#1
#2 #3
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 30
2. Click “Add” from the Conditions window (#3) and select the attribute Windows-Groups
(#4). Click “Add”, then at the “Groups” window (#5) click “Add” again and select the
Domain Users (#6) entry in the groups list. Click “Add” and “OK”, then OK again at the
“Groups” window to return to the “Add Remote Access Policy” window (#7). The policy
created here will apply to all matching domain users in the W2KTEST domain.
#4 #5
#6
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 31
3. Finally check the “Grant remote access permission” radio button (#7), click “Next” then
“Edit Profile” (#8) to change the properties of the policy.
#7 #8
4. Select the “Authentication” tab and check the “Unencrypted Authentication (PAP,
SPAP)” box as displayed below.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 32
5. Select the “Advanced” tab to configure the return attributes for the profile and remove
the two default parameters shown in the example below (#1). Once removed, click
“Add”, select the “Service-Type” RADIUS attribute (#2), click “Add” again and select an
Attribute value of “Administrative” (#3). Click “OK” & “Close” to return to the “Edit Dial-
in Profile” (#4) window, then click “Apply” and “OK” (twice) to return to the IAS window.
#1 #2
#3 #4
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 33
6. At the main IAS window with the “Remote Access Policies” icon selected, change the
order of the baystack policy in the policy list window by selecting it once and clicking
on the black up arrow and move it to first position.
Note: During this time EAP logins will not work as both the baystack and eapusers
policies use the same matching conditions for authentication (all users in the domain). IE;
if eapuser tries to login at this point, they will match the baystack policy and attempt to be
authenticated using their EAP user parameters but the baystack policy has not been
setup to allow EAP authentication (note from step 4).
It is for the above reason that a separate group containing network administrative
usernames and passwords should be setup to allow console and telnet RADIUS
authentication via IAS allowing multiple access policies to exist.
Creating an user account for switch administration
1. Right click on “Users” folder & select “New > User”. Add the information below and use
password as the user‟s password, then click the “Finish” button when complete.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 34
2. After the user baystack has been added to Active Directory some parameters will need
to be changed for the user. Double click on the entry in the “Users” list to view the
user‟s properties, then select the “Member Of” tab and check that the user is a
member of „Domain Users‟ & „RAS and IAS Servers‟. Use the “Add” button to modify
the list if it not as shown below.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 35
3. Select the “Account” tab and change the “Account options:” section check box to
enable „Password never expires‟ as shown below.
Select the “Dial-in” tab and set the “Control access through Remote Access Policy”
radio button. Leave all other tabs as default settings.
Configuring the BS/BPS for Telnet/Console RADIUS Authentication
1. From the BS/BPS switch Main menu select “Console/Comm Port Configuration” and
set the “TELNET Switch Password Type:” to RADIUS Authentication.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 36
Testing Administrative Authentication
1. Telnet to the BS/BPS switch (10.10.10.20) and after being prompted and pressing
“CTRL-Y”, you should get a login screen as below. Enter the login username of
baystack and password of password and hit enter to proceed to the switch main menu.
Tips and Hints with Authentication
Authentication fails even though the parameters appear to have been set correctly.
Sometimes after adding a user account in Active Directory, then when parameters have
been modified (particularly under user properties “Account” tab in the “Account Options”
section – password never expires area), try resetting the user‟s password. Do this by
right clicking on the user in the AD list and selecting “Reset Password…”.
Always check the server Event log for explanations of what happened if a failure occurs.
Nortel Networks – EAP with Microsoft Authentication 1/8/2012 Page 37