ArubaOS and Controllers

Reply
Contributor I

Setting up radius authentication alongside internal database authentication

Hello All,

We're running Aruba OS 5.0.2.1.

We are currently authenticating against the internal database. It has two to three accounts that all of our wireless clients use to authenticate. We recently migrated to Active Directory (coming from Novell eDirectory), and would like to transition our wireless clients to using a radius server to authenticate. This is going to take some time, so we don't want to disrupt current wireless users that are running fine authenticated against the internal database.

I've read through the 802.1x Configuration for IAS chapter in the user guide and a couple other PDF documents, namely a WLAN Base Configuration guide and a guide directed toward using Microsoft's NAP with Aruba. We're not using NAP though, just NPS without the health check bells and whistles.

I've been trying to apply what I've read to our setup, but can't seem to make it work. I've used the "aaa test-server" command to test communication between the controller and the radius server successfully. I've configured a wireless client and when I attempt to authenticate, it looks like it's trying to authenticate against the internal database. How do I get wireless clients to authenticate against the radius server without breaking authentication against the internal database? Is this possible? Do I need to create an entirely new wlan with new SSID, roles, etc. to work with the radius server?

I found the following in the KB:

aaa server-group "authservers"
auth-server Internal match-authstring contains "@aruba"
auth-server IAS

Could I use this and say substitute the "@aruba" for any of the user names in the internal database? There are only two of them that get any use and both begin with "aruba".

Obviuously I'm not very proficient with Aruba Controllers and their configuration, so thanks in advance for any help you can give me toward figuring this out!

Mark
Aruba

Setting up radius authentication alongside internal database authentication

You will want to have a "Server Group" configured for your WLAN. In that group you would add both internaldB and the radius server (NPS). So there will be two items (rows) in the server group. Assign the server group under the AAA profile for the WLAN you are working on and you should be set.

The one item you have to be careful to check/enable is one called "Fail Through' that is on the server group configuration screen. That will enable the Aruba controller to poll -each- of your authentication servers, instead of just the first one in the list. (which may be happening to you now)
Contributor I

Re: Setting up radius authentication alongside internal database authentication

Thanks for the response. That definitely got me past that hurdle. I can see authentication requests on the RADIUS server now. I'm going to test and watch logs over the next day or so to see if any trouble pops up, but so far so good--and no one has complained of anything yet. Thanks again for the help!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: