SSO. Firmware and configuration of D-link DES3200-26
Firmware and setup D-link DES3200-26 C1
Let's start with the description of revision C1. The firmware for revision C1 can be downloaded
(including for others, all firmware in one folder, each signed).
Download the firmware and put it on your TFTP, you can use it tftp64.exe under Windows, if there are no other options.
For DES-3200 rev.C1, updating to firmware branch 4.38 and higher should be done via intermediate firmware 4.38.000
Update to 4.38:
sh switch
save
download firmware_fromTFTP 10.200.0.106 src_file DES3200R_4.38.B000.had dest_file DES3200R_4.38.B000.had
config firmware image DES3200R_4.38.B000.had boot_up
dir
del c:/runtime.had
rebootWhere
10.200.0.106
my address
tftp
.
Update to 4.38:
download firmware_fromTFTP 10.200.0.106 src_file DES3200-26-C1_Run_4_51_B007.had dest_file DES3200-26-C1_Run_4_51_B007.had
config firmware image DES3200-26-C1_Run_4_51_B007.had boot_up
dir
del c:/DES3200R_4.38.B000.had
rebootFirmware D-link DES3200-26 A1
Update to 1.91:
sh switch
config firmware image_id 2 delete
download firmware_fromTFTP 10.200.0.106 DES-3200R_1.91.B07.had image_id 2
config firmware image_id 2 boot_up
save all
reboot
Firmware D-link DGS3100-24tg
show switch
download firmware 10.200.0.106 DGS-3100-xx-3.60.45.ros
Bonus
D-link DGS3024 firmware:
download firmware 10.200.0.106 DGS-3024_A4_v4.01B01.had
Firmware for d-link 3200-26 switches
Reset:
reset config
reset systemSetting up an account:
create account admin admilink
vS!b!r!-H0l0dn0
vS!b!r!-H0l0dn0
enable password encryption
Configuring networks:
config vlan vlanid 1 delete 1-28
create vlan management tag 100
create vlan vlanid 50
config vlan vlanid 100 add tagged 25-28
config vlan vlanid 100 add untagged 1-24
config ipif System ipaddress 10.10.0.221/24 state enable vlan management
create iproute default 10.10.0.1
Where is the switch ip
10.10.0.221
A
10.10.0.1
main gateway. We specify the time server and time zone, allow password recovery if forgotten.
config sntp primary 10.200.0.2
config sntp secondary 83.172.56.202
enable sntp
config time_zone operator + hour 7 min 0
enable command logging
enable password_recovery
enable clipaging
enable web 80
enable ssh
enable telnet 23
Setting up
snmp
to ours
community "tokb-v2"
disabling the default ones,
stp
in my case it is not used, I put protection on the ports, I disable it
lldp
.
delete snmp community public
delete snmp community private
delete snmp user initial
delete snmp group initial
delete snmp view restricted all
delete snmp view CommunityView all
delete snmp group ReadGroup
delete snmp group WriteGroup
enable snmp
create snmp view CommunityView 1 view_type included
create snmp group Readers v1 read_view CommunityView notify_view CommunityView
create snmp group Readers v2c read_view CommunityView notify_view CommunityView
create snmp community tokb-v2 view CommunityView read_only
disable stp
enable loopdetect
config loopdetect ports 1-24 state enable
enable bpdu_protection
config bpdu_protection ports 1-24 mode shutdown state enable
disable lldp
config filter dhcp_server ports 1 - 24 state enable
config filter dhcp_server add permit server_ip 10.10.0.1 ports 26
config filter dhcp_server add permit server_ip 10.200.0.1 ports 26
We specify the RADIUS settings:
Where
10.10.0.2
first AAA server,
172.31.200.2
— the second server.
create authen server_host 10.10.0.2 protocol radius port 1812 key "HawAiRules%7334" timeout 3 retransmit 1
config authen server_group radius delete server_host 0.0.0.0 protocol radius
create authen server_host 172.31.200.2 protocol radius port 1812 key "HawAiRules%7334" timeout 5 retransmit 2
config authen server_group radius delete server_host 0.0.0.0 protocol radius
config authen server_group radius add server_host 172.31.200.2 protocol radius
config authen server_group radius add server_host 10.10.0.2 protocol radius
config authen_login default method local
create authen_login method_list_name rad_ext
config authen_login method_list_name rad_ext method radius
config authen_enable default method local_enable
create authen_enable method_list_name rad_ext_ena
config authen_enable method_list_name rad_ext_ena method radius
config authen application console login default
config authen application console enable default
config authen application telnet login method_list_name rad_ext
config authen application telnet enable method_list_name rad_ext_ena
config authen application ssh login method_list_name rad_ext
config authen application ssh enable method_list_name rad_ext_ena
config authen application http login default
config authen application http enable default
config authen parameter response_timeout 0
config authen parameter attempt 3
enable authen_policy
disable web
disable telnet
save all❯ Setting up RADIUS (NPS on Windows Server 2016)
We assume that the Network Policy Server role is already installed.
Launch the network policy server -> Policies -> Network policies -> New document.
We create by analogy:
As you can see from the screenshot, we have created a separate group in AD, Switches-Write – users in this group receive administrator rights on the switches and can make changes to the configuration.
Since we have many switches and different vendors, we create RADIUS clients with the vendor name, in our case D-link*by name and the rules will apply.
We form the attributes “Supplier-dependent”, specify the supplier code “171”, and the access rights number “5”.
For the configuration reading group, we specify the access rights as the number “4” and create a separate group in AD, Switches-Read.
We create a shared secret for each type of switch.
Next, we create a RADIUS client, specifying the correct name, specify the IP address of the switch, and select the shared secret from the drop-down menu.
We leave the provider name as “RADIUS standard”.
In the domain, be sure to create an account with the login “enable”, and check the box “Password does not expire”.
Add the user to the “Switches-Write” group.
When connecting via SSH and entering your login and password, use the “enable admin” command to get the administrator.
P.S. Domain login cannot be more than 15 characters, I encountered this!
I saw from the logs that only the first 15 characters are sent to the radius server.
List of sources used:
Useful links:
Read also:
News, product reviews and contests from the Timeweb.Cloud team — in our Telegram channel ↩
News, product reviews and contests from the Timeweb.Cloud team — in our Telegram channel ↩
![[Mikrotik] Shamanism in RouterOS or how I did a normally closed Firewall in RAW](https://prog.world/wp-content/uploads/2021/10/3ff8bdb5fddb68a3d6de7d2899b1590d-768x403.png)
