ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Novell 802.1X

--------------------------------------------------------------------------------
I have a client with a Novell only enviroment wanting to perform 802.1X authentication.
We are going to use controller terminated 802.1X, with authentication group tied the Novell server via LDAP to authenticate the users accounts.

Customer also need to prevent users from using own devices (ie laptops, smartphones) from connecting to the wireless using thier novell logins.
In windows enviroment, this would be done using machine authentication. I know that is not available in non-windows deployments.

I have 2 options not sure if either would work, or which would be prefered.

1. (if possible) customer has all the novell devices in Novell tree (attibute has MAC address). If possible, do MAC authentication tied to the LDAP server that would look up enterprise devices. If MAC address is there assign role that would allow logon.

2. Use DHCP fingerprinting in 6.1 to auto-assign the Novell clients a role that would allow network access, and then user attempts to logon.

This would be my first deployment of this type, so any suggestions would be appreciated.
I didn't go into detail explaining plan of these 2 options, and I could provide more if necesary.

thanks for your help.

peter
Occasional Contributor II
Posts: 10
Registered: ‎11-05-2010

Re: Novell 802.1X

A third option would be to require certificates for devices to connect, such as EAP-TLS. I guess it depends on how the bad the client wants personal devices off the wireless. Certificates would be the most secure, while MAC restrictions work for an average user though someone determined can get around it.
If it were me and I were starting from scratch I'd probably go EAP-TLS. Though if the MAC's are already known and stored in Novell then that path may take less work albeit not quite as secure.
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Novell 802.1X


--------------------------------------------------------------------------------
I have a client with a Novell only enviroment wanting to perform 802.1X authentication.
We are going to use controller terminated 802.1X, with authentication group tied the Novell server via LDAP to authenticate the users accounts.

Customer also need to prevent users from using own devices (ie laptops, smartphones) from connecting to the wireless using thier novell logins.
In windows enviroment, this would be done using machine authentication. I know that is not available in non-windows deployments.

I have 2 options not sure if either would work, or which would be prefered.

1. (if possible) customer has all the novell devices in Novell tree (attibute has MAC address). If possible, do MAC authentication tied to the LDAP server that would look up enterprise devices. If MAC address is there assign role that would allow logon.

2. Use DHCP fingerprinting in 6.1 to auto-assign the Novell clients a role that would allow network access, and then user attempts to logon.

This would be my first deployment of this type, so any suggestions would be appreciated.
I didn't go into detail explaining plan of these 2 options, and I could provide more if necesary.

thanks for your help.

peter




If you already had 802.1x working, if you had the time to enter all the mac addresses as usernames and passwords in LDAP, we could do mac authentication against this that forces the user to be in this mac address database, so that if he does not pass, 802.1x does not pass, as well.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: Novell 802.1X

Thanks guys.

Customer has stated they don't want to go the EAP-TLS route.

It as a new 802.1X deployment.

The customer says that they have the a "container" in the Novell tree that contains all the Novell clients in the enterprise. Supposedly one of the attributes, contains the MAC address of each device.

I am not sure if that is the same as having the mac address in LDAP as user/passwords.

I don't have Novell experience, but know that I can do user queries off LDAP server in Aruba.

I will be able to see the customers Novell/LDAP configuration on thursday.

As Far as mac address authentication in the AAA profile- does that happen concurrently with at the same time as initial role derivation? or after the 802.1x logon process?

thanks
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Novell 802.1X

Okay.

First you need to get 802.1x working with Novell, then we can try to get the mac authentication thingy working. The way it looks, unless an object in Novell has an attribute that is the mac address and the password that is the mac address, mac authentication will not work. The Novell configuration is so non-standard that the administrators probably might not have to worry about unauthorized devices getting into their network.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

LDAP working, 802.1X not

I was able to get LDAP working with the Novell eDirectory. I needed to set the key-attribute to 'cn'

I know the LDAP authentication piece is working, because I added the ldap server to server group for Captive Portal authentication. I was able to login using edirectory accounts.

Now I am better trying to understand Novell and 802.1X options.
I have read conflicting things on message boards. Is there any Aruba guide/Document?


I want to terminate the PEAP cert on the controller, i believe with gtc. It is a 6000 M3 running 6.1.
For testing purposes, I want to use the factory cert - but I don't see it listed in certs. Is that still possible to use for 802.1X auth?

It looks like we are going to have to use MAC addresss authentication for some psuedo-machine authentication.

Is there any way to configure novell client with single sign on wireless for user authentication?
I read on some information that Novell client require network access for initial logon. has anyone every created the inital role in the AAA policy to be custom role with fw polices that allowed access only to logon servers?

I know I am raising a lot of questions, but looking for roadmap of necessary steps/pitfalls in configure 802.1X in Novell enviroment.

thanks,

peter
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Novell 802.1X

It all depends on your tolerance for pain. You can ideally have single-sign-on with the Native Novell Client, and Freeradius. The big hitch is that it requires you to configure Freeradius and turn on Universal Passwords on the Novell Side: http://forums.novell.com/netiq/netiq-product-discussion-forums/edirectory/modular-authentication-services-universal-password/326508-adding-universal-password.html
Here is a link for a guy who has tons of links about the process here: http://thebackroomtech.com/2008/04/08/8021x-network-authentication-freeradius-with-the-novell-client-resources/

Please remember that getting it working and having someone maintaining parts of it like Freeradius, Novell and clients issues can be particularly challenging moving forward.

The easy way out involves installing an EAP-GTC supplicant (aruba has a free one on the support website under "tools"), enabling termination with EAP-PEAP and setting up the wireless on a Windows client with GTC. MAC clients support EAP-GTC natively.

If you don't want to go the Novell Native client route to Single sign-on, on the other hand normally requires a commercial supplicant like Juniper Odyssey or Secure W2 (I'm attaching a document from 2007 on the forum). That approach uses Termination and GTC, but saves alot of work setting by not requiring you to setup Freeradius and the connector to EDirectory (you only need to setup the client, termination and GTC support on the controller and your existing LDAP authentication to Edirectory through the controller).


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: Novell 802.1X

Thanks Colin,

It seems like the EAP-GTC route would make the most sense, esp for this customer.
I read the User Guide on on the Aurba website, most devices are Windows based, so we will need to install the supplicant.

So, once that supplicant is installed, and WZC is configured, then would SSO with Novell client work? The WZC would pass the Novell client user credentials as part of the 802.1X auth process? Just trying to clarify this.

Also, since this is controller terminated, and non windows domain enviroment, this would not include any type of machine/device authentication. I would still need to configure and implement MAC DB for that that.

Thanks for all your help in clarifying all these questions with me.

peter
Guru Elite
Posts: 20,598
Registered: ‎03-29-2007

Re: Novell 802.1X

Single Sign on is only available by configuring Freeradius with the Novell 802.1x supplicant OR a third party supplicant that specifically supports it, like the Juniper Odyssey client.

It is not supported with the free EAP-GTC client from Aruba.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎01-29-2009

Re: Novell 802.1X

So what would be the logon-process with EAP-GTC from Aruba?

Log on to Novell client, then get prompted for wireless connection credentials again after windows profile loads?

The aruba document explains how to install the client, but not how the process works.

thanks
Search Airheads
Showing results for 
Search instead for 
Did you mean: