Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor I
Posts: 7
Registered: ‎03-27-2008

MAC Auth with EAP PEAP MSCHAPv2

Hello,
I'm trying to get a wireless tablet PC to login to a Windows domain.
The problem is the authenticaion RADIUS server is not on the Domain Controller and the Domain Controller is not running the IAS RADIUS service.
I see the authentication for host/machinename getting to the RADIUS server but I am unable to configure a valid account there for a response.

Is it possible to use MAC authentication for the initial authenticaiton at the Windows login screen. Then use 802.1x via the Windows username and password to login into the domain?

Any assistance is appreciated.

Bob Yaworski
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

IAS Server not on the Domain


Hello,
I'm trying to get a wireless tablet PC to login to a Windows domain.
The problem is the authenticaion RADIUS server is not on the Domain Controller and the Domain Controller is not running the IAS RADIUS service.
I see the authentication for host/machinename getting to the RADIUS server but I am unable to configure a valid account there for a response.

Is it possible to use MAC authentication for the initial authenticaiton at the Windows login screen. Then use 802.1x via the Windows username and password to login into the domain?

Any assistance is appreciated.

Bob Yaworski




Bob,

Quite frankly, you will save a great deal of work if you put the IAS server on the domain, because you will be able to do Machine Authentication to get this computer authenticated before a user logs on. The server just would need to be a "member" of the domain, not a domain controller. MAC authentication on the same SSID before the computer logs in would not satisfy your need, because in 802.1x, there still needs to be a username and password exchanged with the radius server to be able to pass traffic. You cannot configure a username and password because at the control alt delete screen the computer sends its hostname as the username and its SID, or security identifier negotiated with the domain as the password. Nobody knows what the SID is, but in a domain, it does exist. With a domain computer and a server that is not on the domain, that relationship does not exist.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎03-27-2008

Re: MAC Auth with EAP PEAP MSCHAPv2

Thanks Colin.
I have a Steel Belted RADIUS installed on a server that is on the Domain but I'm not sure how to get it to authenticate the machine.
I see the request come in as 'host/machinename' but I'm not sure how to add it to the RADIUS server to authenticate it. Should I have the RADIUS point to the Active DIrectory server as an LDAP server?
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Domain Computers


Thanks Colin.
I have a Steel Belted RADIUS installed on a server that is on the Domain but I'm not sure how to get it to authenticate the machine.
I see the request come in as 'host/machinename' but I'm not sure how to add it to the RADIUS server to authenticate it. Should I have the RADIUS point to the Active DIrectory server as an LDAP server?




Hi Bob,

If you have that SBR already authenticating users via dot1x, you only have to add the "Domain Computers" group to allow these machines to authenticate.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Hardware authentication and MAC Auth together

Is it possible to use use MAC and 802.1x Authentication together? Saying a user has to pass one or the other to have access?

Ed
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

MAC and 802.1x Auth

If you configure both in the same AAA profile, MAC auth will be done first, and then 802.1x. If MAC auth is not passed, auth will not be passed to 802.1x.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎03-27-2008

Re: MAC Auth with EAP PEAP MSCHAPv2

My issue was turned out to be not related to the Aruba directly. It was the external RADIUS authentication server and certificates. Once I got that straightened out I was able to add the Domain Computers to the authentication list and it's been working well since.

Thanks for all your input.
Search Airheads
Showing results for 
Search instead for 
Did you mean: