Howdy,
Our office has been considering options for wireless at some schools and got our hands on a pair of AP105 units for a trial run. I setup a guest network quickly with no issues, but have been having difficult with making an internal wifi network that uses LDAP to authenticate with our DC. I looked around for some extended documentation on the units but came up mostly empty handed. So I just thought I'd try the forum to see if I can figure out what dumb thing(s) I'm missing here.
Here's the situation. I've setup an AP (ArubaAP01) and its virtual controller. I created a new employee network. VLAN settings are: Network assigned IPs (getting DHCP from our DC) and a static VLAN that's already setup. Security panel shows WPA-2 Enterprise, Termination is Enabled with an Authentication server profile created using LDAP. Mostly the default settings for the LDAP profile. I currently have a domain admin mapped in the Admin-DN, password, and Base-DN configured and looking right. Filter and key attribute are default (* and sAMAccountName). Access panel is currently unrestricted.
With that looking okay, I created a new wireless profile on a Win7 laptop. Put in the SSID, set the security to WPA2-Ent+AES, and PEAP. Unchecked validate server certificate and the authentication method is EAP-MSCHAP v2 with the "automatically use my Windows logon name and password" unchecked (I tried it with it checked initially, then unchecked it to explicitly enter various test credentials). 802.1X settings has User authentication specified, and 802.11 settings only has PMK caching checked.
Trying to connect to the network from the laptop fails after a second or two.
I then looked at the Support tab in the AP to check the Authentication frames. Here's a relevant snippet:
Apr 9 15:14:17 station-up * 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 - - wpa2 aes
Apr 9 15:14:17 eap-id-req <- 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 1 5
Apr 9 15:14:17 eap-start -> 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 - -
Apr 9 15:14:17 eap-id-req <- 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 1 5
Apr 9 15:14:26 eap-id-resp -> 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 1 11 DOMAIN/testuser
Apr 9 15:14:26 rad-req -> 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 12 179
Apr 9 15:14:27 rad-reject <- 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43/ArubaLDAP 12 20
Apr 9 15:14:27 eap-failure <- 00:24:2c:17:a1:e7 6c:f3:7f:e7:07:43 1 4 server rejected
So I'm not quite sure why it's rejecting. I didn't see any failures in the security log on the specified DC although curiously some of the relevant audit successes to that laptop are showing it trying to use Advapi as the logon process.
Anywho, before I continue to bury you with information, maybe someone knows what I'm doing wrong already or what I need to check next. I couldn't find any means to test the LDAP settings on the AP so I tried hooking a laptop up to its patch cable just to ensure I can make an LDAP session using the settings I entered in (with a program called jXplorer) and that worked fine. Hmm.
Welp, any hand-holding and guidance to get these APs working would be appreciated.