Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

802.1x and IOS

[ Edited ]

Hello,

We are having trouble connecting ipad/iphone to our WPA2-enterprise network.

I have enabled the "Termination" on the WLAN security tab.
I also have enabled the "Dynamic Radius Proxy".

It's working fine with windows computers.

When I try to connect with iOS, this is what appear in the Security Log of my domain controller:
"The user attempted to use an authentication method that is not enabled on the matching network policy."

Authentication Type: PAP

 

I don't feel comfortable activating PAP on my domain... 

I have seen the withepaper on "Ipad & Enterprise", and I do not want to install  the Apple Iphone Configuration Utility and push this to the ipad/iphone. (which has to be done for  WPA2-AES EAP-TLS to Terminate on an Aruba Controller).

On the exmple, for WPA AES or TKIP, WPA2 AES or TKIP with PEAP-MSCHAPv2 it should work just fine.

Do you have an idea ?

Many thanks

Contributor II
Posts: 42
Registered: ‎08-22-2011

Re: 802.1x and IOS

Is this an Aruba instant or an Aruba controller network?

Frequent Contributor II
Posts: 118
Registered: ‎02-10-2011

Re: 802.1x and IOS

We use wpa2-enterprise with 802.1x for both windows and macintosh/iphone/ipad devices without too many issues. Perhaps you can provide additional information on your setup and configuration.

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: 802.1x and IOS

[ Edited ]

We are using Instant AP without controller, maybe it's due to a wrong configuration of the NPS in the windows 2008 server.
What kind of additional information would you need ?

Contributor II
Posts: 42
Registered: ‎08-22-2011

Re: 802.1x and IOS

i only enable terminaton when using an LDAP server or similar RADIUS server that does not support EAP. if you can support EAP disable termination and it should work with istuff.

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: 802.1x and IOS

Well, when I try to disable the termination, I could not connect even with my windows computers.

In my Security Logs, I have this message: "Error occured during the use of EAP".

I also do not understand why I cannot use mschap if I disable the termination ? 

Guru Elite
Posts: 19,984
Registered: ‎03-29-2007

Re: 802.1x and IOS

Using termination means that the IAP will host a radius certificate within the IAP.  With termination off, that means your NPS server needs a valid server certificate.

 

Please look at the article here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113 for how to correctly configure NPS...

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
New Contributor
Posts: 1
Registered: ‎03-25-2013

Re: 802.1x and IOS

Excl,

 

We had the same problem in our environment as well and submitted a ticket to Aruba TAC. 

Essentially, they have confirmed that this because on the i-AP you cannot specify the encyption to use, whereas with the physical controller you can.

Verbatim from Aruba Support, the work around for now at least is:

We tried to replicate this issue in our lab. We also faced the same issue. That only IPhones are connected using the PAP when the termination is enabled in the IAP. As a workaround we tried the below.

 

  • Disabled the termination in the IAP. Which means the termination is enabled in the radius server.
  • We should have the proper certificate installed in the server for this to work properly.
  • In the NPS rule we enabled the MsCHAPv2 with PEAP.
  • PAP not enabled in the Rule.
  • This time the IPHONE and all other client connects fine and authenticated using PEAP-MsCHAPv2.

 

Please let me know if this is suitable for your deployment. If not we need to contact engineering to proceed further with this issue. Because in our lab also its confirmed that only IPHONES are not authenticating using the MSCHAPV2 when the termination is enabled in the IAP.

 


Placing the certificate on the RADIUS server did in fact do the trick, it would have been nice however to have the functionality there to begin with.

Hope this helps.

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: 802.1x and IOS

Yes you are right,

Good to know that in the IAP you cannot choose the encryption.
I resolved the issue by disabling the Termination mode, it now works perfectly with IOS & Windows users.

Again, thanks :)

New Contributor
Posts: 2
Registered: ‎08-13-2014

Re: 802.1x and IOS

I know this is a little late, but I've come across the same issue, sort of and I thought I would add this comment.

 

The iDevices will authenticate using MS-CHAP if, as wireless clients, they're sitting on the same VLAN and Subnet as our radius and dhcp server (essentially our main network). As soon as we try it in a different subnet and vlan using some other DHCP server we see the following:

 

1) with termination on - they use PAP

2) with termination off - they use EAP

 

Of course, we only want to use MS-CHAP, but don't want them on the same VLAN or subnet. I'm not familiar with how all of this traffic flows around when authenticating, so maybe that's by design. But if anyone has any further insight, I'm a good listener (reader).

 

I'm in the same situation with the i-APs (ie. no controllers).

 

Thanks to all!

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: