ArubaOS and Controllers

Reply
Contributor I
Posts: 33
Registered: ‎04-12-2007

Transferring multiple controller .1x termination to multiple RADIUS servers

Hey guys,

We have a customer who has one SSID through different buildings located through all the country, they have multiple stand alone master controllers in each location an they have multiple RADIUS servers as well.

They used to have termination activated in their controllers so they can travel between locations so the clients they don't need to reconfigured their devices each time they move between locations.

However, if their domain passwords expire they cannot change them on the flight as auth is terminating on the controllers, so they have to pass authentication directly to the RADIUS servers in order that when a password expires they can change their AD credentials.

They have install server certificates in their servers, but now anytime you move between buildings you must accept the active server's certificate in order to connect, this is not such a problem on windows, mac or even linux, as everytime you change locations you receive a warning.

However, symbian and other smartphones are a special case as they cannot accept this certificate change as easy as laptops.

So I was wondering if it is possible to install a CA certificate on the RADIUS servers just as you do on the controllers, so they can use a the CA certificate as a "global" certificate to authenticate the servers are not spurious in a controller's termination fashion.

Thank you so much for your help.
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Transferring multiple controller .1x termination to multiple RADIUS servers

We use certificates for 802.1x stored in the radius server. Each radius server has it's own certificated signed by a root CA and all our clients install this root CA. Whichever radius server deals with the request the certificate chain is validated.

We use PEAP/MSChapv2 on FreeRADIUS, but other combinations should work.
Contributor I
Posts: 33
Registered: ‎04-12-2007

Re: Transferring multiple controller .1x termination to multiple RADIUS servers


We use certificates for 802.1x stored in the radius server. Each radius server has it's own certificated signed by a root CA and all our clients install this root CA. Whichever radius server deals with the request the certificate chain is validated.

We use PEAP/MSChapv2 on FreeRADIUS, but other combinations should work.




Hi jnfern,

So you use Server Certificates?, what happened when mobile clients move between controllers? As each certificate is different for each server, clients are required to validate that each certificate is valid as long as you have the root CA on your list of trusted CAs?

Thanks for your reply
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Transferring multiple controller .1x termination to multiple RADIUS servers

Our RADIUS servers have certificates, our controllers do not.

We have 2 RADIUS servers, each with its own certificate. All our Aruba controllers are configured with both our RADIUS servers; so any client could end up talking to either server at any time.

We have our own ROOT CA, and both RADIUS servers have a (different) certificate signed by this CA.

We install this CA on each client, and tell the client that when connecting to our SSID, it should validate the certificate against this CA.

Regardless of which RADIUS server is used, the client is able to verify the RADIUS certificate was signed by the ROOT CA so it happy to accept the certificate - this is the way certificates work in general and is nothing 'special' for our setup.

Even if you were to have certificates within the controller, the same should apply I would imagine - however I'm not a Windows guy, so I don't know if there is something different about authenticating to AD.

HTH,
-Jeff
Contributor I
Posts: 33
Registered: ‎04-12-2007

Re: Transferring multiple controller .1x termination to multiple RADIUS servers


Our RADIUS servers have certificates, our controllers do not.

We have 2 RADIUS servers, each with its own certificate. All our Aruba controllers are configured with both our RADIUS servers; so any client could end up talking to either server at any time.

We have our own ROOT CA, and both RADIUS servers have a (different) certificate signed by this CA.

We install this CA on each client, and tell the client that when connecting to our SSID, it should validate the certificate against this CA.

Regardless of which RADIUS server is used, the client is able to verify the RADIUS certificate was signed by the ROOT CA so it happy to accept the certificate - this is the way certificates work in general and is nothing 'special' for our setup.

Even if you were to have certificates within the controller, the same should apply I would imagine - however I'm not a Windows guy, so I don't know if there is something different about authenticating to AD.

HTH,
-Jeff




Thanks Jeff this info is pretty much useful for us.

I see, so you have configured all the servers on all your controllers. I'm not sure if we could do that in our case. I mean, I'm not sure if all of the segments where they have a RADIUS server are reachable from other segments. In fact I think that's the reason why they have multiple 'local' RADIUS servers. I will ask the customer to check if they can make all of the servers could be reachable from every location.

By the way, what do you do to authenticate users from different servers, AFAIK an authentication server group allows users to authenticate in a backup server only in the case the first server on the list went down and not to find on which server a user is allowed to authenticate.

Thanks again for you help Jeff
Occasional Contributor II
Posts: 100
Registered: ‎11-05-2009

Re: Transferring multiple controller .1x termination to multiple RADIUS servers

We use multiple RADIUS servers, and have each controller talking to both of them. This isn't required, and if you can't then don't.

We have multiple servers for resilience, so each returns the same data. There is a Fall-Through option that can be set for either: Try all servers until a positive result is obtained (1st server says no, try server 2, then 3 etc) or try all servers until 1 is contactable and accept that (so if 1st server says no, it won't try any more)
Search Airheads
Showing results for 
Search instead for 
Did you mean: