Controllerless Networks

Reply
New Contributor
Posts: 1
Registered: ‎04-10-2013

AP105 and LDAP help

Howdy,

Our office has been considering options for wireless at some schools and got our hands on a pair of AP105 units for a trial run. I setup a guest network quickly with no issues, but have been having difficult with making an internal wifi network that uses LDAP to authenticate with our DC. I looked around for some extended documentation on the units but came up mostly empty handed. So I just thought I'd try the forum to see if I can figure out what dumb thing(s) I'm missing here.

Here's the situation. I've setup an AP (ArubaAP01) and its virtual controller. I created a new employee network. VLAN settings are: Network assigned IPs (getting DHCP from our DC) and a static VLAN that's already setup. Security panel shows WPA-2 Enterprise, Termination is Enabled with an Authentication server profile created using LDAP. Mostly the default settings for the LDAP profile. I currently have a domain admin mapped in the Admin-DN, password, and Base-DN configured and looking right. Filter and key attribute are default (* and sAMAccountName). Access panel is currently unrestricted.

With that looking okay, I created a new wireless profile on a Win7 laptop. Put in the SSID, set the security to WPA2-Ent+AES, and PEAP. Unchecked validate server certificate and the authentication method is EAP-MSCHAP v2 with the "automatically use my Windows logon name and password" unchecked (I tried it with it checked initially, then unchecked it to explicitly enter various test credentials). 802.1X settings has User authentication specified, and 802.11 settings only has PMK caching checked.

Trying to connect to the network from the laptop fails after a second or two.

I then looked at the Support tab in the AP to check the Authentication frames. Here's a relevant snippet:

Apr  9 15:14:17  station-up             *  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            -   -     wpa2 aes
Apr  9 15:14:17  eap-id-req            <-  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            1   5     
Apr  9 15:14:17  eap-start             ->  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            -   -     
Apr  9 15:14:17  eap-id-req            <-  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            1   5     
Apr  9 15:14:26  eap-id-resp           ->  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            1   11    DOMAIN/testuser
Apr  9 15:14:26  rad-req               ->  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            12  179   
Apr  9 15:14:27  rad-reject            <-  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43/ArubaLDAP  12  20    
Apr  9 15:14:27  eap-failure           <-  00:24:2c:17:a1:e7  6c:f3:7f:e7:07:43            1   4     server rejected

 

 

So I'm not quite sure why it's rejecting. I didn't see any failures in the security log on the specified DC although curiously some of the relevant audit successes to that laptop are showing it trying to use Advapi as the logon process. 

 

Anywho, before I continue to bury you with information, maybe someone knows what I'm doing wrong already or what I need to check next. I couldn't find any means to test the LDAP settings on the AP so I tried hooking a laptop up to its patch cable just to ensure I can make an LDAP session using the settings I entered in (with a program called jXplorer) and that worked fine. Hmm.

 

Welp, any hand-holding and guidance to get these APs working would be appreciated.

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: AP105 and LDAP help

If you have active directory, you should setup a radius server.

 

LDAP would only support EAP-GTC as an innner authentication method, which would require that you install some sort of supplicant on the clients.

 

Again, if you have a domain, search for instructions on how to setup IAS (Windows 2003 server) or NPS (Windows 2008 server) and use that as a radius target.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 51
Registered: ‎03-21-2013

Re: AP105 and LDAP help

Hi, i have the exact same problem.

 

Thing is that my client have LDAP authentication working fine right now with Aruba controller and some controlled AP's

 

He decided to deply some Instant in another location, but using same LDAP server that Aruba controller use. Laptop are only working with controlled AP's. Thing is that mobile phone (Android or iOS),  work perfectly with both types of AP's, controlled, and instant.

 

Did you find any solution?

 

Regards,

Search Airheads
Showing results for 
Search instead for 
Did you mean: