Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 5
Registered: ‎12-15-2015

IAP-225 Radius Server OneLogin

Hi,

 

Does someone here has experience with setting an IAP-225 up with the external OneLogin radius server? For some reason I can't get it work. I read already this: https://onelogin.zendesk.com/hc/en-us/articles/202361670

 

And tried this: http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

 

If I try with my client locally via radtest I get accepted, but when I try via the IAP-225 I get always rejected. Also depending on the configuration with Termination Enabled I usually time out/reject by connecting to 127.0.0.1.

 

adius authenticate raw using server t_OneLoginRadiusServer

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_request.c:52] Add Request: id=6, srv=127.0.0.1, fd=18

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1695] Sending radius request to t_OneLoginRadiusServer:127.0.0.1:2630 id:6,len:209

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  User-Name: fabian

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-IP-Address: 127.0.0.1

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-Port-Id: 0

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-Identifier: nonasid

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-Port-Type: 19

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Calling-Station-Id: 34363bcce418

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Called-Station-Id: 40e3d6c56f52

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Service-Type: Login-User

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Framed-MTU: 1100

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  EAP-Message: \002\003

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  State: }\364\374\305}\344\351\006\300\342\270\225\2659\371\315

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Aruba-Essid-Name: Test 5G

 

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Aruba-AP-Group: instant-C5:6F:52

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Message-Auth: \016X\341Z1\257*\231\265\347\366.\367\232N\202

Jan  9 23:26:02  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_request.c:76] Find Request: id=6, srv=127.0.0.1, fd=18

Jan  9 23:26:02  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_request.c:82]  Current entry: srv=127.0.0.1, fd=18

Jan  9 23:26:02  stm[2475]: <121050> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  in rc_aal.c(server_cbh),auth result = 1, with user name = fabian

Jan  9 23:26:02  stm[2475]: <121050> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  ACESS_ACCEPT or ACCESS_REJECT message received

Jan  9 23:26:02  stm[2475]: <132207> <ERRS> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  RADIUS reject for station fabian 34:36:3b:cc:e4:18 from server t_OneLoginRadiusServer.

Jan  9 23:26:02  stm[2475]: <132053> <ERRS> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  Dropping the radius packet for Station 34:36:3b:cc:e4:18 40:e3:d6:d6:f5:30 doing 802.1x

 

Also any idea how I can configure with 2FA with the Google Authenticator OTP device?

 

Best,

Fabian

 

 

 

Occasional Contributor I
Posts: 7
Registered: ‎04-16-2016

Re: IAP-225 Radius Server OneLogin

Looks like AIs support only PEAP-GTC and PEAP-MSCHAPv2

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

But onelogin supports only PAP or EAP-TTLS/PAP

Occasional Contributor I
Posts: 5
Registered: ‎12-15-2015

Re: IAP-225 Radius Server OneLogin

Yes that is correct, best work around would be using an Active Directory but this solution won't work with the Radius Server OneLogin provides.

Occasional Contributor I
Posts: 7
Registered: ‎04-16-2016

Re: IAP-225 Radius Server OneLogin

As Tim suggested here http://community.arubanetworks.com/t5/Wireless-Access/Controller-integration-with-OneLogin/td-p/249926/highlight/false I tried to configure EAP-TTLS/PAP on my Mac and it works!

IAPs are EAP-agnostic - that means you should define protocol on the client.

Search Airheads
Showing results for 
Search instead for 
Did you mean: