ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 17
Registered: ‎03-01-2011

windows preauthentication with user authentication

hello

Our classroom laptops are using windows 7 single sign on. They are attempting to logon to the SSID with user credentials. Our radius server is on our Admin domain. Users with Admin credentials can login at startup successfully by connecting to the SSID, but users with Instruction credentials (student access with restrictions) will not authenticate. Under the student role, the firewall policies are: basic-netservices,Allow-student_services,Deny-private_nets,allowall.

If I remove Deny-private_nets, Student authentication to the instruction domain is successful. My question is; Do I need to add the IP address for the instruction domain controller to the Allow-student_services? (this rule allows only certain private nets to be available to the students) also are there any specific ports that I would need to open up?

Any help on this would be greatly appreciated.
Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: windows preauthentication with user authentication

It is a moving target to say the least. It is probably easier to block services like SSH and telnet that you do not want students to have access to, rather than subnets. If you block nothing, your security is the same as that on the wired network, and your students should be able to logon successfully.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎03-01-2011

Re: windows preauthentication with user authentication

that is what we were afraid of. We have to have the deny statement in place to restrict access to servers on the network. I am going to try to add the IP address for the instruction domain controller, into the allow student services and see if that is it.

thanks
Aruba
Posts: 760
Registered: ‎05-31-2007

windows preauthentication with user authentication

Another strategy, rather than trial and error ;) would be to issue the command "show user ip x.x.x.x" a few times while the device is logging in.

This command shows the exact traffic being generated by the device. You would look for lines ending with the "D" flag which means they are denied. That will then give you specifics on what destination Host and ports are required for the transaction. Run this procedure a few times and ensure it doesn't float around as Colin has cautioned it may well be somewhat of a moving target.


(ArubaHQ_Calgary) #show user ip 192.168.0.190

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
17.149.36.125 192.168.0.190 6 5223 64370 0/0 0 96 45 tunnel 10 2dd
192.168.0.190 17.149.36.125 6 64370 5223 0/0 0 96 45 tunnel 10 2dd C


PS - in this example, my iPAD is talking on TCP (Prot = 6) port 5223 (standard for iOS devices) to a destination of 17.149.36.125 (good ole Apple Corporate!). Notice there is no "D" Flag and thus it is permitted.
Occasional Contributor II
Posts: 17
Registered: ‎03-01-2011

Re: windows preauthentication with user authentication

Thanks for the tip! We got it to work, by just allowing the ports required.
Search Airheads
Showing results for 
Search instead for 
Did you mean: