Nortel 450 switch / EAPOL / Microsoft IAS / 802.1x / PEAP etc

Has anyone managed to get Nortel 450 switches to work with EAPOL with Microsoft IAS using 802.1x?

I have Windows XP SP2 clients, Server 2003 Release2 server running IAS. I have set up the return attributes as described in the documentation, namely:

VLAN Membership attributes:

-- Tunnel-Pvt-Group-ID RADIUS Standard String Value= Number of VLAN

-- Tunnel-Type RADIUS Standard Virtual LANs (VLAN)

-- Tunnel-Medium-Type RADIUS Standard 802 (Includes all 802 media... )

-- Nortel-Port-Priority Nortel Networks 4

(I have also tried the vendor specific attribute but IAS in Server 2003 knows about some nortel attributes)

The client is setup with a secret and 'Requests must contain the Message Authenticator attribute' is ticked.

The policy conditions are 'NAS-Port-Type matches "Ethernet" AND Windows-Groups matches "\\"

The computer and user accounts have dialin 'controlled through RAS policy'.

. The 450 switch is running firmware 4.5.4.06. The switch is not in a stack.

I have tried using MD5 (yes I turned on 'use reversible encryption'), 'Smartcard or other Certificate', and PEAP.

In all of my tests for both the machine and the user account the port is authorised and access is granted. Events are logged to this effect, and if I look in the JDM at the switch I see the port is authorised, and I also see the VLAN change to whatever I tell IAS to return. Everything *looks* fine, however the clients will not work - I do not get DHCP, and if I set a static IP address on the client and try to ping something, I get nothing. If I set a static IP on the client and run Ethereal on a client and monitor the EAP process, I see an EAP success. I then see 'IGMP V2 Membership Report's the source of which are other machines in the VLAN that I'm supposed to be in, and I see Nortel SONMP traffic. If I run the 'dhcploc' utility and manually request an IP over DHCP, I see the requests but no responses.

I have IAS set up and working just fine for wireless clients using some Nortel 2380 wireless switches, but the 450's simply Do Not Work.

I have tried two different clients and have updated all drivers where possible. The newest client was a Dell D600 with the Broadcom driver dated 2006. All yield the same results.

Does *anyone* have this working?

Reply to
Skinftz
Loading thread data ...

I just worked out what was wrong - turns out spanning tree MUST be enabled on the ports that are using EAPOL!

AAARRRGGGHHH!!!!!!! WOULD IT HAVE KILLED YOU NORTEL TO MENTION THIS IN THE DOCUMENTATION??????!!!!!

*ahem*.

:)

Reply to
Skinftz

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.