NPS Radius with Child Domain - Airheads Community

Reply

Occasional Contributor II

‎06-06-2011 06:18 AM

We are attempting to roll out WPA2 to migrate from our current captiveportal implementation. I have been able to get NPS configured for both Machine and User auth - everything seems to be working as it should for our Parent domain. However, when I test with a user from our child domain there are a number of issues. If the user either specifies their domain at logon (domain\username) or logs in from a workstation joined to their respective domain all works as it should. If they attempt at logon from an OS X machine joined to the parent domain - no go! It appears only the username is passed (as that is all that is being entered) and the radius server assumes the domain of it's membership (unless a domain is specified) - that is my understanding of how NPS RADIUS works.

I have attempted setting up 2 radius servers (one in each domain as recommended) - logons to the child domain will work from OS X when pointed to the respective RADIUS server however users on the parent domain fail.

Not sure if I'm missing something or where to look - any assistance is greatly appreciated.

Guru Elite

‎06-07-2011 02:58 AM

If a device does not send a REALM or domain with the username, the NPS server will assume that it is from the current domain, and not the child domain that you are seeking and will fail authentication. The best way to work around this is to setup a second radius server in the child domain. Make sure the Aruba controller is setup as a radius client and create a remote access policy on that server. Add that as a separate radius server to the server group on the Aruba controller and make sure that "fail through" is enabled in that server group.

What will happen is that the client who does not send a realm will fail authentication on the first radius server and then will try the second server in the client's home domain, because of the fail through parameter. If the username and password matches in the second domain, the client will be allowed onto the network.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

‎06-07-2011 06:06 AM

Thanks for the response. I have tried this in the past with no success. I attempted this again this morning with the following results using a parent domain user:
attempt with parent radius server as first listed (child radius second) = success
attempt with child radius server as first (parent radius second) = failed
- eventviewer on child radius shows "The specified user account does not exist" - which is correct.
- eventviewer on the parent radius shows "The RADIUS Request message that Network Policy Server received from the network access server was malformed." but only when it is the second server on the fail through list, if listed first it will proccess requests without any issue

Same thing happens if I try a child domain user when the parent radius server is listed as second (error occurs on the child radius server)

Am I missing something? Thoughts on where I should be looking for the cause of this issue?

Thanks,

Guru Elite

‎06-07-2011 07:10 AM

Thanks for the response. I have tried this in the past with no success. I attempted this again this morning with the following results using a parent domain user:
attempt with parent radius server as first listed (child radius second) = success
attempt with child radius server as first (parent radius second) = failed
- eventviewer on child radius shows "The specified user account does not exist" - which is correct.
- eventviewer on the parent radius shows "The RADIUS Request message that Network Policy Server received from the network access server was malformed." but only when it is the second server on the fail through list, if listed first it will proccess requests without any issue

Same thing happens if I try a child domain user when the parent radius server is listed as second (error occurs on the child radius server)

Am I missing something? Thoughts on where I should be looking for the cause of this issue?

Thanks,

Do you have (1) Termination enabled on the Aruba Controller or (2) does the child domain radius server have its own CA certificate?

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

‎06-07-2011 07:15 AM

Also, try toggling the message authenticator attribute in the "Client" definition for the Aruba Controller on the Child domain radius server.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

‎06-07-2011 08:59 AM

Termination was NOT enabled on the controller - each radius server had a certificate. Once I enabled termination on the controller and installed the cert the "malformed request" errors stopped. Authentication to both the parent and child domains are working correctly now.

Is the termination on the controller recommended or discouraged?

Guru Elite

‎06-07-2011 01:38 PM

Termination was NOT enabled on the controller - each radius server had a certificate. Once I enabled termination on the controller and installed the cert the "malformed request" errors stopped. Authentication to both the parent and child domains are working correctly now.

Is the termination on the controller recommended or discouraged?

Termination allows you to front-end all of your radius servers with a single certificate on the controller (certificate not needed on radius server after you turn this on). That would mean that you would only be upgrading the Controller's certificate when it is time, instead of tons of individual certificates. in addition, the PEAP function is very CPU-intensive and enabling termination offloads this resource-intensive process from your radius server, especially when tons of users attempt to get on. The short answer, is that yes, it is recommended.

The malformed request *could* be from the fact that the user probably did not trust the certificate on the child domain, or the certificate is not valid...

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

‎06-08-2011 05:53 AM

Thanks for the information, I will move forward using termination on the controller then. However, I do have an issue since enabling the termination - my windows machine authentication no longer works (was working when going directly to the radius servers). When a domain machine attempts I machine auth the radius server denies access with "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

This works as intended without the using the termination on the controller.

Thanks again for your assistance,

Guru Elite

‎06-08-2011 05:57 AM

One drawback with Termination is that machine authentication does not work when you are using an NPS or Windows 2003 server for authentication.

You probably want to disable termination and check the status of that certificate on the child domain radius server to ensure you don't get the error before.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

‎06-08-2011 06:17 AM

I guess termination is not for us then - unless the machine auth request can be validated by another radius server (we also have a cisco acs that could be used).

The certs seem to be fine on the machines, when they either is listed as the first in the server group they work fine and when listed second they receive the malformed request error. When they are swapped the first is fine and the second has the error.

Is there a way I should be checking the certs?

Something else I can try to isolate the issue?

Thanks,

Please share website feedback