06-22-2011 08:30 AM
We're running Aruba OS 220.127.116.11.
We are currently authenticating against the internal database. It has two to three accounts that all of our wireless clients use to authenticate. We recently migrated to Active Directory (coming from Novell eDirectory), and would like to transition our wireless clients to using a radius server to authenticate. This is going to take some time, so we don't want to disrupt current wireless users that are running fine authenticated against the internal database.
I've read through the 802.1x Configuration for IAS chapter in the user guide and a couple other PDF documents, namely a WLAN Base Configuration guide and a guide directed toward using Microsoft's NAP with Aruba. We're not using NAP though, just NPS without the health check bells and whistles.
I've been trying to apply what I've read to our setup, but can't seem to make it work. I've used the "aaa test-server" command to test communication between the controller and the radius server successfully. I've configured a wireless client and when I attempt to authenticate, it looks like it's trying to authenticate against the internal database. How do I get wireless clients to authenticate against the radius server without breaking authentication against the internal database? Is this possible? Do I need to create an entirely new wlan with new SSID, roles, etc. to work with the radius server?
I found the following in the KB:
aaa server-group "authservers"
auth-server Internal match-authstring contains "@aruba"
Could I use this and say substitute the "@aruba" for any of the user names in the internal database? There are only two of them that get any use and both begin with "aruba".
Obviuously I'm not very proficient with Aruba Controllers and their configuration, so thanks in advance for any help you can give me toward figuring this out!
06-22-2011 10:30 AM
The one item you have to be careful to check/enable is one called "Fail Through' that is on the server group configuration screen. That will enable the Aruba controller to poll -each- of your authentication servers, instead of just the first one in the list. (which may be happening to you now)
06-22-2011 02:49 PM