ArubaOS and Controllers

Reply
Occasional Contributor II

EAP-TLS Authenication failure

I am attempting to configure EAP-TLS authentication on a Aruba 3200 controller for wifi.

I followed the guide here until selecting the authentication method where i chose "Microsoft: Smart Cart or other certificate".

I have attached screenshots of the current configuration..

Question though.. The "Host" ip on the Aruba what should go here? I am assuming the NAS IP = the Radius server. The Key is the same as I setup on the Radius server.

Sorry for the multiple posts but I cant add more than four photos per post..




Occasional Contributor II

Re: EAP-TLS Authenication failure




Occasional Contributor II

Re: EAP-TLS Authenication failure

Aruba Employee

Host IP

Yes, the Host IP on the controller is the IP address of your RADIUS server.

Make sure you pass back the class attribute from the RADIUS server, to match your role on the Aruba controller. Example: Class: employee

Zach
Thanks,

Zach Jennings
Occasional Contributor II

Re: EAP-TLS Authenication failure

What is the NAS IP.. Is this also the Radius server IP?

I am not sure what you mean by the class attribute.
Aruba Employee

Re: EAP-TLS Authenication failure

You don't need to enter anything for the NAS IP.

Not sure about EAP-TLS, but with EAP-PEAP with MSCHAPv2, you have to pass back the role you want the user to get on the Aruba controller.

On the RADIUS server, under Policies, Network Policies, Create a policy that tests for some group on the AD, for example All Employees, then on the settings tab, add a Standard Attribute, Name: Class, Value: employee. This will pass back that value to set the role of the user after authentication.

See screenshot.

Zach
Thanks,

Zach Jennings
Occasional Contributor I

Re: EAP-TLS Authenication failure

Looking at your screenshots of your Aruba controller - the RADIUS Server definition has the Host filed set to the IP address of your controller. This needs to point to the IP address of your NPS server and the shared secret must match the one entered as a RADIUS client on the NPS.
You can use the Aruba Vendor Specific Attribute (VSA) Aruba-User-Role in your return Access-Accept to automatically derive a role on the Aruba controller for each class of user.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: