04-03-2013 02:44 AM - edited 04-03-2013 03:13 AM
We are having trouble connecting ipad/iphone to our WPA2-enterprise network.
I have enabled the "Termination" on the WLAN security tab.
I also have enabled the "Dynamic Radius Proxy".
It's working fine with windows computers.
When I try to connect with iOS, this is what appear in the Security Log of my domain controller:
"The user attempted to use an authentication method that is not enabled on the matching network policy."
Authentication Type: PAP
I don't feel comfortable activating PAP on my domain...
I have seen the withepaper on "Ipad & Enterprise", and I do not want to install the Apple Iphone Configuration Utility and push this to the ipad/iphone. (which has to be done for WPA2-AES EAP-TLS to Terminate on an Aruba Controller).
On the exmple, for WPA AES or TKIP, WPA2 AES or TKIP with PEAP-MSCHAPv2 it should work just fine.
Do you have an idea ?
Solved! Go to Solution.
04-09-2013 05:25 AM - edited 04-09-2013 06:27 AM
We are using Instant AP without controller, maybe it's due to a wrong configuration of the NPS in the windows 2008 server.
What kind of additional information would you need ?
04-11-2013 02:12 AM
Well, when I try to disable the termination, I could not connect even with my windows computers.
In my Security Logs, I have this message: "Error occured during the use of EAP".
I also do not understand why I cannot use mschap if I disable the termination ?
04-11-2013 07:46 AM
Using termination means that the IAP will host a radius certificate within the IAP. With termination off, that means your NPS server needs a valid server certificate.
Please look at the article here: http://community.arubanetworks.com/t5/ArubaOS-and-
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
04-16-2013 02:00 PM
We had the same problem in our environment as well and submitted a ticket to Aruba TAC.
Essentially, they have confirmed that this because on the i-AP you cannot specify the encyption to use, whereas with the physical controller you can.
Verbatim from Aruba Support, the work around for now at least is:
We tried to replicate this issue in our lab. We also faced the same issue. That only IPhones are connected using the PAP when the termination is enabled in the IAP. As a workaround we tried the below.
- Disabled the termination in the IAP. Which means the termination is enabled in the radius server.
- We should have the proper certificate installed in the server for this to work properly.
- In the NPS rule we enabled the MsCHAPv2 with PEAP.
- PAP not enabled in the Rule.
- This time the IPHONE and all other client connects fine and authenticated using PEAP-MsCHAPv2.
Please let me know if this is suitable for your deployment. If not we need to contact engineering to proceed further with this issue. Because in our lab also its confirmed that only IPHONES are not authenticating using the MSCHAPV2 when the termination is enabled in the IAP.
Placing the certificate on the RADIUS server did in fact do the trick, it would have been nice however to have the functionality there to begin with.
Hope this helps.
04-17-2013 12:52 AM
Yes you are right,
Good to know that in the IAP you cannot choose the encryption.
I resolved the issue by disabling the Termination mode, it now works perfectly with IOS & Windows users.
Again, thanks :)
08-13-2014 11:59 AM
I know this is a little late, but I've come across the same issue, sort of and I thought I would add this comment.
The iDevices will authenticate using MS-CHAP if, as wireless clients, they're sitting on the same VLAN and Subnet as our radius and dhcp server (essentially our main network). As soon as we try it in a different subnet and vlan using some other DHCP server we see the following:
1) with termination on - they use PAP
2) with termination off - they use EAP
Of course, we only want to use MS-CHAP, but don't want them on the same VLAN or subnet. I'm not familiar with how all of this traffic flows around when authenticating, so maybe that's by design. But if anyone has any further insight, I'm a good listener (reader).
I'm in the same situation with the i-APs (ie. no controllers).
Thanks to all!