Reply
Occasional Contributor II
stobbe_s
Posts: 15
Registered: ‎12-14-2010

RADIUS server group - can a server be used based on subnet?

I have a Master-local controller setup. The Master is located at our district school office, and locals are installed at a bunch of schools.

The current setup for our corporate VAP is a server group with one RADIUS server located centrally. This works fine, but I would like to eliminate traffic traversing our WAN links when possible. I would like to use the local domain controllers on site with RADIUS - so users on the local controllers will use local RADIUS for authentication.

I've been looking at server group match rules on the authstring, which will probably work for machine auth because each of the school machines begin with a unique string for that site. However, for user auth we use one single domain and the authstring would not contain anything unique per site.

Does anyone know if there's a way to specify a RADIUS server be used per local controller, or per subnet?

Thanks.
Steve
Moderator
cjoseph
Posts: 12,028
Registered: ‎03-29-2007

Re: RADIUS server group - can a server be used based on subnet?

No.

You would have to create a new virtual AP, which under it would have a new AAA profile (which would contain a different server group) and the same SSID profile.
Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
stobbe_s
Posts: 15
Registered: ‎12-14-2010

Re: RADIUS server group - can a server be used based on subnet?

Ok - thanks for the feedback. I was hoping to avoid creating a unique VAP for each site (we have ~140 sites) - but if that's the only way to do it - then that's what I'll do.

Steve
Moderator
cjoseph
Posts: 12,028
Registered: ‎03-29-2007

Re: RADIUS server group - can a server be used based on subnet?

You have 140 sites, but how many radius servers do you have? You can just put both radius servers into the AP-group and when one fails or is unresponsive, the other will take over. Either that or you can have two virtual APs: one that has the first radius server first and another that has the second radius server first. If the latency between site and the radius server is not above 100 milliseconds, you usually do not have anything to worry about.
Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
stobbe_s
Posts: 15
Registered: ‎12-14-2010

Re: RADIUS server group - can a server be used based on subnet?

We just use two central RADIUS servers right now. Back in the day each WAP was considered a RADIUS client so rather than upgrade all of our site servers to Windows Server 2003 Enterprise - we went centralized.

I have implemented a second VAP for that site and it's working fine.

Unfortunately, it hasn't solved my issues which I thought may be latency related. I'm getting tons of problems with the authentication delay between machine auth and user auth. Group policies for folder redirection and drive mappings are failing consistently in our schools. I've turned on RAS tracing and verbose userenv logging trying to troubleshoot this. I drop about 4 pings and that's when Windows is trying to complete user authentication. The Netlogon service and RADIUS authentication are oblivious to each other - sometimes they go in the right order - but often they don't.

I've tried various reg keys and GPO tweaks including "Always wait for network at computer startup and logon" and "Wait for remote user profile", setting GroupPolicyMinTransferRate to 0, adding GpNetworkStartTimeoutPolicyValue with various values starting at 60 but I can consistently get failures stating Network Path not found or folder not accessible. I can't blame this all on roaming profiles because even without them I get GPO failures for folder redirection.

Does anyone have experience making 802.1x work properly with Windows in a domain environment with wireless? Is it a weird combination of offline files, roaming profiles, and folder redirection that we're doing that makes us unique?

I am switching Aruba roles and enforcing machine auth - but I had these same Windows problems before I did that so I know it's not related. I'm not switching VLANs - just role. I can visually see the wireless system tray icon disconnect and then reconnect when the deskop appears. I may try the reg key to disable meda sensing on logon next - because none of the GPO timers or delays I'm trying seem to work. I should state that these issues manifest themselves during logon after an initial boot. If a machine is already on and someone has logged in, then logged out, it doesn't seem to fail on subsequent logons (or at least - much less frequently).

Apologies if this should be a separate thread.
Moderator
cjoseph
Posts: 12,028
Registered: ‎03-29-2007

Re: RADIUS server group - can a server be used based on subnet?

Please ensure that your clients have the most updated drivers - if possible. Please also ensure that your clients have sleep mode configured for "awake" to ensure that you do not have a client that sleeps too often. If you need immediate assistance for this issue, please open up a tac case so that you can be helped, ASAP.
Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
stobbe_s
Posts: 15
Registered: ‎12-14-2010

Re: RADIUS server group - can a server be used based on subnet?

Thanks for the tips - I already ensured I am running the latest drivers. I have made this work now - but there may be some caveats.

In the GPO, on the IEEE 802.1X tab I changed from User or Computer authentication to Computer only. On the PEAP settings for MSCHAP v2 I unchecked "Automatically use my Windows logon name and password".

The RADIUS server now only does the machine authentication - when a valid user in AD logs in there is no additional RADIUS authentication. From the Aruba controller side, I see the user remain with an 802.1x-MachineAuth role and they show up as Host\Machinename. That is obviously a downside to this method - but it's not like I couldn't find out who is logged onto a machine using psloggedon or other tools.

As long as the 802.1x-MachineAuth role has the same rights as the 802.1x-FullAuth role - the user wouldn't see any difference. The roaming profile and folder redirection seems to work 100% now - the wireless icon never changes and I only drop 1 ping on logon. Users will still need valid AD credentials to sign in.

Can you think of any other downsides or caveats to this approach?
Thanks.
Steve
Moderator
cjoseph
Posts: 12,028
Registered: ‎03-29-2007

Re: RADIUS server group - can a server be used based on subnet?

My Advice:

On the GPO, turn back on User and Computer Authentication
Make Sure that the Enforce Machine Authentication Machine Only role has an "allowall" policy.

The Machine Only role should be able to be allowed to do anything, because it pretty much represents a computer at the ctrl-alt-delete screen that needs to do background registration, etc. If you do not make this an allowall policy, you WILL run into issues like the one you mention.
Colin Joseph
Aruba Customer Engineering
Occasional Contributor II
stobbe_s
Posts: 15
Registered: ‎12-14-2010

Re: RADIUS server group - can a server be used based on subnet?

My Machine auth role is set to allowall - which matches the Full auth role. The issue I was mentioning is that the Aruba controller doesn't update the user name because only machine auth is taking place. When a user signs in - they're still using that machine auth so Active Directory name isn't used. Basically a lack of visibility into who exactly is logged on.

The one thing I haven't tested in the GPO is turning back on User and Computer Authentication and keeping the PEAP settings the same without the checkbox for "Automatically use my Windows logon name and password". But I'm not sure what I would gain from doing that - may I ask why you would advise that?

If this solves all of my issues with roaming profiles not being able to be reached, desktops not accesible, and GPOs not firing - I'll live with the lack of visibility from a wireless controller perspective.
Moderator
cjoseph
Posts: 12,028
Registered: ‎03-29-2007

Re: RADIUS server group - can a server be used based on subnet?

In the GPO, turn back on user and computer authentication (do a gpupdate on the commandline so that the computer gets it immediately). Make sure "Automatically use my Windows logon name and password" is checked. Make sure "Authenticate as computer when computer information is available" on the wireless GPO is also checked. Uncheck "Enforce Machine Authentication" on the Aruba Controller.

"Automatically use my Windows logon name and password" allows the computer to automatically submit the username and password of the user trying to login

"Authenticate as computer when computer information is available" allows the machine to login with host/ and get an ip address at the ctrl-alt-delete screen. This is essential for users who have never logged into the computer before to be able to login after. The computer needs to login to get an ip "dial tone" before new users can login and so that existing users get a login script.

"Enforce Machine Authentication" on the Aruba Controller is not necessary and should be turned off.

Please consult Appendix D of the ArubaOS user guide which will tell you exactly how to configure Microsoft Windows Server AND Microsoft Clients for full functionality.
Colin Joseph
Aruba Customer Engineering