- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
NPS Radius with Child Domain
NPS Radius with Child Domain
06-06-2011 06:18 AM
I have attempted setting up 2 radius servers (one in each domain as recommended) - logons to the child domain will work from OS X when pointed to the respective RADIUS server however users on the parent domain fail.
Not sure if I'm missing something or where to look - any assistance is greatly appreciated.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-07-2011 02:58 AM
What will happen is that the client who does not send a realm will fail authentication on the first radius server and then will try the second server in the client's home domain, because of the fail through parameter. If the username and password matches in the second domain, the client will be allowed onto the network.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-07-2011 06:06 AM
attempt with parent radius server as first listed (child radius second) = success
attempt with child radius server as first (parent radius second) = failed
- eventviewer on child radius shows "The specified user account does not exist" - which is correct.
- eventviewer on the parent radius shows "The RADIUS Request message that Network Policy Server received from the network access server was malformed." but only when it is the second server on the fail through list, if listed first it will proccess requests without any issue
Same thing happens if I try a child domain user when the parent radius server is listed as second (error occurs on the child radius server)
Am I missing something? Thoughts on where I should be looking for the cause of this issue?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-07-2011 07:10 AM
Thanks for the response. I have tried this in the past with no success. I attempted this again this morning with the following results using a parent domain user:
attempt with parent radius server as first listed (child radius second) = success
attempt with child radius server as first (parent radius second) = failed
- eventviewer on child radius shows "The specified user account does not exist" - which is correct.
- eventviewer on the parent radius shows "The RADIUS Request message that Network Policy Server received from the network access server was malformed." but only when it is the second server on the fail through list, if listed first it will proccess requests without any issue
Same thing happens if I try a child domain user when the parent radius server is listed as second (error occurs on the child radius server)
Am I missing something? Thoughts on where I should be looking for the cause of this issue?
Thanks,
Do you have (1) Termination enabled on the Aruba Controller or (2) does the child domain radius server have its own CA certificate?
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-07-2011 07:15 AM
Also, try toggling the message authenticator attribute in the "Client" definition for the Aruba Controller on the Child domain radius server.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-07-2011 08:59 AM
Is the termination on the controller recommended or discouraged?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-07-2011 01:38 PM
Termination was NOT enabled on the controller - each radius server had a certificate. Once I enabled termination on the controller and installed the cert the "malformed request" errors stopped. Authentication to both the parent and child domains are working correctly now.
Is the termination on the controller recommended or discouraged?
Termination allows you to front-end all of your radius servers with a single certificate on the controller (certificate not needed on radius server after you turn this on). That would mean that you would only be upgrading the Controller's certificate when it is time, instead of tons of individual certificates. in addition, the PEAP function is very CPU-intensive and enabling termination offloads this resource-intensive process from your radius server, especially when tons of users attempt to get on. The short answer, is that yes, it is recommended.
The malformed request *could* be from the fact that the user probably did not trust the certificate on the child domain, or the certificate is not valid...
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-08-2011 05:53 AM
This works as intended without the using the termination on the controller.
Thanks again for your assistance,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-08-2011 05:57 AM
You probably want to disable termination and check the status of that certificate on the child domain radius server to ensure you don't get the error before.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: NPS Radius with Child Domain
Re: NPS Radius with Child Domain
06-08-2011 06:17 AM
The certs seem to be fine on the machines, when they either is listed as the first in the server group they work fine and when listed second they receive the malformed request error. When they are swapped the first is fine and the second has the error.
Is there a way I should be checking the certs?
Something else I can try to isolate the issue?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator