Controllerless Networks

Hello!

In this tutorial i ll show you how to configure 802.1x with server derived role(which is the interesting part of 802.1x with Aruba)

What do you need to achive this?

1-Windows Server 2012( a 2008 and 2003 works as well)

2-NPS Role on windows server 2012

3-Cetificate installed on Windows server 2012(the tutorial asume you have it already installed)

4-Instant AP cluster

Before beggining lets do some explanaitiong about this:

Server derived user role is a feature that is on Aruba product only!

It permits you to give different roles to different types of users, with roles i mean rules

For example you got 2 groups in Active Directory

Accounting

Engineering

You would like with the SAME SSID give it different access to the users on accouting than the users on engineering

Let say that you would like with the same SSID give access to everything in the company to the engineering group but to the accounting group you just want to give it access to 2 servers in the company!

You can do it with server derived user role!

In other brands like Cisco you need to set them in different vlans, and you need to start creating one vlan for each differnt access you want, which  makes you work more and  having inecesary vlans, plus you need to restrict this access on another devices....

With Aruba you can do all this on the same box!

Okay lets Beging

Windows Server 2012 Configuration

After you already installed the NPS ROLE you need to open the NPS role, and as soon as you open it you will see this wizard which is great because it makes it a way easier!

Click on Configure 802.1x

Click on configure secure wireless Network  like in the image! and click next

On radius clients click add

Next to the blue arrow you need to put the cluster IP Address

Next to the orange arrow you need to put  a preshared key between the Cluster of instant and the radius server, and click accept

Select Microsoft EAP PEAP and click configure

Then on the dropdown as you see on the blue box, you need to select the certificate that you installed on your server, and then click accept and then click next

Click add, and then in the space in there you type the Active directory group which will have access to the network with the first role.

Remenber that we can have through the same SSID different roles with different access to the network.  Those roles are linked to a user group which is this one we are selecting in here.

Click next

Click configure

Click on filter ID and click edith

Remenber that with this filter ID is the the word that we send to the cluster of instant aps so they know  the name of the role they are assigning... for example if  i put Home in here then there should be a role name Home in the instants ap, if i put in here a word engineering then there should be a role named engineering in the instant aps

Click add and put the string which is the word that will be send to the IAP cluster as you see on the green box

Click accept and then finish

If you got more roles with differnet access let say you got 2 more groups you would liek to do, then go and repeat the wizard! the only thing that will change will be the group of Active directory you choosing, and the word you using to send that value to the instant cluster!

Now you are done with the Windows 2012

Now lets beging to configure the Instant AP cluster

When you enter the Web Gui click on security

Click New

In the Ip address put the ip of the NPS server(windows server 2012 in this case)

Put also the preshared key(they one that we used before in the Windows server 2012)

click OK

Click on System

On dynamic radius proxy put enabled, this is really important... otherwise you would need to add all the Instant aps in the cluster to the clients on the windows 2012 NPS, but if you enabled it you wont have to do that.

Click New

Put the name of the SSID in th box

Here you need to put Network assign

And Client vlan assigment depends on what vlan you willl use for your wireless(in my case for demo purpuse i choosed default)

On security leve put Enterprise and authentication server select the server that we configured earlier on the instant AP and click next

Click New like you see on the red box

Choose on Atribute Filter-ID and on Operator Is the role

Click OK

And in the name of the role put the word that you are using on the NPS on the filter ID to send to the Cluster Instant.

If you got 3 different access to your network for differnt group of users on your network then you need to create 3 differnt roles with 3 different names, which you will use on the NPS to send to the Instant Cluster

On each Role you need to put the rules you want  for exmample in the next picture i show you

In the Home role the users does not have access to the 172.17.0.2 Server and has access to everything else

In engineering role they got access to everything!

Remenber that word of Home and Engineering comes from the value you assign to the group of users on the NPS.

And well you click finish and you are done!

After configuring this you should check out my other tutorial which tell you how to configure correctly the end point i mean the windows machine with EAP PEAP.  Which is really important for security reasons.  I see many configuring it incorrectly

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Correctly-configure-EAP-PEAP-Windows-client/td-p/43398

Cheers

Carlos

Thank you very much Sean! :)

Cheers

Carlos

I added a link on the end of the tutorial which is another old tutorial i made which tell you how to configure correctly the Windows machines for EAP PEAP which is important for security reasons.

Cheers

Carlos

Excellent post Nightshade!!!!!

Thanks Normal Guy!

Hi,

I have gone through your link. Iam having one small doubt.

While configuring it is asking for  IP/DNS address. Which IP address i have to give?

1) Is it an IP address given by the network service provider (122.166.214.27) ?

2) Is it an IP address of the server i.e., 192.168.50.11 ( where iam configuring Radius Server) ?

3)Is it an IP address of the firewall ( We are using fortinet for that the IP is 192.168.50.1) ?

All our client machines are getting IP from server (192.168.50.11) , The server is DHCP enabled.

The Server IP address is as follows:

IP: 192.168.50.11

Gateway: 192.168.50.1

DNS: 192.168.50.1

Regards.,

Srinivas.

While configuring in what part?

Do you mean when configuring the radius server????

If you are configuring the radius server onw windows 2012 you must use the instant Cluster ip address and put it in there

Cheers

Carlos

Hi,

Thanks for your quick reply Carols.

While configuring Radius server only. It will ask fro IP (or) DNS address.

I didn't get the exact meaning of Cluster IP address, as iam new to this. Can you tell me in brief which IP address i have to give?

Cluster IP means we have to give the ARUBA device configuration IP right?

Regards., 

Srinivas.

Hello

The cluster ip is the admnistration IP you give to the group of instants.

You configure it on virtual controller ip which is on system.   Remenber to enable dynamic radio proxy.

Also i feel you need to learn the basics of the instant.

Here is a really nice video tutorial it covers anything you need to know about them.

http://cloud.arubanetworks.com/instant-training

Cheers

Carlos

Hi Carlos,

It does not appear that you include machine authentication in this article and whether the following issue exists on Instant or not? 

As i understand it there is an issue when using multiple user roles with controller based platforms when machine authentication check is also in use and server derived user roles cannot override the default user role.  Thus what our engineers have done in the past is move the machine-auth check to ClearPass & this works fine but it would also be great for our smaller customers if they could have Machine + User Auth checks with a combination of Microsoft NPS & IAPs.
Do you know if this is possible or do we still have to rely on ClearPass for this combined Auth operation?

Many thanks

Graham Dayer

Pervasive Networks UK

graham.dayer@pervasive.co.uk

This  Tutorial does not include machine authetnication its just EAP PEAP with instant.

To tell you the truth i once tried machine authentication with a client, but it give soo many issues that at the end we have to remove it...

He was using EAP PEAP + machine authentication and moved to EAP TLS only

The issues it gave as far i remenber is that the user had to log off and log in to authenticate the machin again as its the only stage in which the computer does a machine authentication.   Sometimes the users suddenly had no access and they had tlog off and log in again to get access again which was really annoying to the end user.

Sorry im not able to help with your query....

Cheers

Carlos

Ok thank you very much Carlos for sharing your findings.  Very useful in anycase.

Kind regards

Graham

absolute great tutorial.
It works fine.

Thanks alot
Peter

Glad the tutorial keeps helping people...

Ill have to get some time to build more tutorials of other things.

Cheers

Carlos

If machine / user auth pass then the role identified by the filter-id will be use, if not the user auth only role will be use

Hi,

If the same thing i want to achive on Mobility Controller what changes should i make?