ArubaOS and Controllers

Reply
Occasional Contributor I
silkwood101
Posts: 5
Registered: ‎04-26-2010

securelogin.arubanetworks.com

Hi,

I'm very new to enterprise wireless.. so please bare with me..

I'm trying to setup PEAP for my wireless deployment.. but, I can't seem to get my clients talk to the controller using the correct certificates...

I've already imported our own Server and CA Certificate on the controller..
but my wireless controller still using securelogin.arubanetworks.com.

Thanks in advance..
Moderator
cjoseph
Posts: 12,181
Registered: ‎03-29-2007

Re: securelogin.arubanetworks.com

Question:

What radius server are you using for authentication?
In which authentication database are your users? (active directory, ldap?)
Colin Joseph
Aruba Customer Engineering
Occasional Contributor I
silkwood101
Posts: 5
Registered: ‎04-26-2010

Re: securelogin.arubanetworks.com

What radius server are you using for authentication?

I'm using Windows 2008 R2, NPS

In which authentication database are your users? (active directory, ldap?)

Its in AD... My NPS and authentication database is in one box..
Its also my domain controller...


Hope this helps...
Thanks
Moderator
cjoseph
Posts: 12,181
Registered: ‎03-29-2007

Re: securelogin.arubanetworks.com

Please look at the article here: http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/ for detailed instructions on how to setup Windows 2008 NPS for radius authentication.
Colin Joseph
Aruba Customer Engineering
Occasional Contributor I
silkwood101
Posts: 5
Registered: ‎04-26-2010

Re: securelogin.arubanetworks.com

Thanks cjoseph...

I already did that.. followed it step by step..

I don't know, I think, I'm missing a piece of configuration on the aruba controller..

please check the attachment.. thanks..

--silkwood101
Moderator
cjoseph
Posts: 12,181
Registered: ‎03-29-2007

Re: securelogin.arubanetworks.com

Go into the 802.1x authentication profile and uncheck "termination".

If you already have a certificate on your Radius Server, you do not need one on the Aruba Controller. To get to the 802.1x authentication profile: configuration > Authentication (under security)> l2 Authentication> 802.1x Configuration. Edit your profile and make sure "termination" is unchecked.
Colin Joseph
Aruba Customer Engineering
Occasional Contributor I
qazizia
Posts: 7
Registered: ‎01-16-2011

Re: securelogin.arubanetworks.com

If i uncheck termination, i cant apply new settings due to following error:

"Error processing command 'aaa authentication dot1x "IRENA_LDAP-dot1x_prof" no termination enable':Error: dot1x-server-group 'LDAP' in aaa profile 'LDAP' contains LDAP server(s). To support this configuration dot1x profile 'IRENA_LDAP-dot1x_prof' should have termination enabled and eaptype set to eap-tls or eap-peap with gtc as the only innereaptype"
Moderator
cjoseph
Posts: 12,181
Registered: ‎03-29-2007

Re: securelogin.arubanetworks.com

You need to setup a RADIUS server, NOT an LDAP server. Please use the link here:

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
Colin Joseph
Aruba Customer Engineering
Occasional Contributor I
qazizia
Posts: 7
Registered: ‎01-16-2011

Re: securelogin.arubanetworks.com

Actually I have configured RADIUS before but the problem which were facing was:

- Initially the same certificate issue, which i uploaded with my first post. After hitting connect 2 times, the network gets connected.
- Second and MAIN problem that it doesnt work with every AD user. Means with some of the users, when they try to connect to the WLAN, it asks for account password and keeps asking and doesnt join the WLAN.

So just for testing, we tried to configure LDAP but facing some other problems which I have already mentioned.

I hope u got the whole idea
Moderator
cjoseph
Posts: 12,181
Registered: ‎03-29-2007

Re: securelogin.arubanetworks.com

First:

Your radius server MUST have a certificate on it that is generated by a certificate authority. Ideally, that certificate authority would be a domain controller in your network, AND an enterprise Certificate Authority, so that you domain clients already trust it.

Second:

To find out why you are getting errors, you need to look at the Event Viewer on your Windows Server under security (if Windows 2008) to see why your client is failing. If you are using Windows 2003, you need to look in the event viewer under System. The event viewer will tell you why.
Colin Joseph
Aruba Customer Engineering