802.11 Client Device Interoperability

Reply
Occasional Contributor I

Authenticating Mac clients w/ RSA keyfob

I have created an SSID for mac and linux users trying to use RSA authentication with keyfobs. I am using wpa2/aes network authentication with 802.1x / eap-peap. I also want to use a server certificate.

The auth-tracebuf shows the server rejecting the user, but the RSA server doesn't log the attempt.

Can anyone shed any light on the settings for the client, controller or RSA server.

Mac clients are running leaopard and snow leaopard. Aruba controller is 3.4.2.0
Guru Elite

Termination

Kbrady,


First, make sure that you test your RSA server to make sure it is responding using AAA Test Server under the Diagnostics Tab on the Aruba Controller:


On the 802.1x profile for that SSID, you should enable termination and EAP type MSCHAPv2, and inner EAP type GTC. Screenshot:



On the Advanced Tab of that 802.1x profile, make sure that you enable Token Caching:





MACs supports GTC as an innner EAP type, so it should work with this setup. Your linux clients, I'm not so sure.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Authenticating Mac clients w/ RSA keyfob

Thank for your help, that worked. I can authenticate now. Not to push my luck but do you have any info on having the mac use a server certificate?
Guru Elite

MAC using a server certificate

Do you mean EAP-TLS (client-side certificates) or EAP-PEAP (server-side certificates) ? What do you want to accomplish?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Mac Client Issues

Sorry for the delayed response I was away for a week. We won't be using the server side certs so that is no longer an issue.
I have noticed another issue with my mac clients authenticating with rsa keyfobs.

Occasionally they seem to go out of sync with the rsa server. When this happens the rsa server send a request for the next passcode (passcode only, no pin). From the client perspective it looks the same as the original login prompt asking for the username and password, which they enter and then repeats the process again, the client never getting access. The client never sees a unique message telling them to only enter the passcode.

Is there a solution for this problem. I had seen it before when testing the aruba gtc supplicant with version 2.x and then the solution was a third party supplicant, which was both messy and pricey. Thanks

kevin
Guru Elite

Open a case

There are a number of factors that could be causing that. I have never seen that particular issue, so if you need immediate help, I'd open a case with support who can look through the logs and determine what is happening. If anyone else has seen this, maybe they can help, as well. All I can say is to make sure that "token caching" and "token caching" period of at least 24 hours is enabled above. Token caching will ensure that the client, while trying to authenticate again or roam, does not send a new request to the RSA server.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: Open a case

This happens because CPPM is connected using Radius port 1812 and NOT native RSA conncetion using the generated configuration file like Cisco ACS does.

Guru Elite

Re: Open a case


Abdu wrote:

This happens because CPPM is connected using Radius port 1812 and NOT native RSA conncetion using the generated configuration file like Cisco ACS does.


This post is from 2 years ago, and the client did not have CPPM.  I am not sure it is related.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: Open a case

I am actually interested in when Aruba will be implementing an RSA connection using sdconf.rec file so error like "Next Tokencode Mode" and others can be displayed when using CPPM tacacs for authenticating like switches.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: