Security, WIDS/WIPS and Aruba ECS

Reply
Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Radius Fail-through and 802.1x Machine Authentication

Hi All,

I am looking for some advice on the best way to achieve what i believe to be a difficult setup for one of my clients.

My client has a requirement to authenticate users across two separate radius servers (some users are located on each server and it is not practical to setup a trust between the forests that they relate to).

My first thought was to implement Server Fail-through however the client needs to utilise Machine Authentication so this isn't really an option according to the 5.x user guide as EAP termination needs to be enabled to accomplish this. I did consider a static database of the machine names but they have in excess of 4000 devices across their network so this isn't ideal.

The next thought was to use Dynamic server selection however the users don't have any distinguishable differences in the domain suffix or format of the username to be able to identify them according to the radius server they belong to.

This is where i hit a brick wall...

So i though i'd turn to the forum to see if anybody has run into any similar scenarios and found a solution.

The client is currently using an environment predominantly centred around ArubOS 3.2.4 on 3200 and 800 controllers but they are prepared to upgrade to 5.x or 6.x if there are some relevant changes that may address this requirement.

Thanks
Scott
Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Radius Fail-through and 802.1x Machine Authentication

[ Edited ]

Edited



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: Radius Fail-through and 802.1x Machine Authentication

Hi Colin,

Thanks for the speedy reply!

Can you please clarify as i'm referring to the detail in the 5.0 user guide which states:

Before enabling fail-through authentication, note the following:
􀁺 This feature is not supported for 802.1x authentication with a server group that consists of external EAP compliant
RADIUS servers. You can, however, use fail-through authentication when the 802.1x
authentication is terminated on the controller (AAA FastConnect).


Doesn't this suggest that by using an external server with EAP (in our case PEAP-MSCHAPv2) that you can't use fail-through?

I'm by no means any kind of radius expert so if i'm misunderstanding this then i'm happy to be corrected!

Scott
Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Radius Fail-through and 802.1x Machine Authentication

[ Edited ]

Edited.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: Radius Fail-through and 802.1x Machine Authentication

Hi Colin,

Sorry for asking a silly question as i'm new to the forums but are you affiliated with Aruba?

Reason i ask is i'm trying to find an "official" answer, not that i doubt your advice.

Have had a conflicting response from the TAC as below however i have actually tested this myself in my lab and i did seem to be able to get it work provided i turned off the Validate Server Certificate option in the Windows client.

Trying to give my client the best possible answer!

This is the response i had from the TAC

Case # 1235275 : Radius Failthrough and PEAP

Comments :

ISSUE
=======
Customer wants to know whether fail through can be used when he has 2 radius server.

Troubleshooting
==============
EAP fail-through does not work with EAP terminated at radius because each radius server might have different certificate and EAP is multiple packet exchange

Next Action
==========
Customer has to inform us whether we can close the ticket or he needs any assistance.



Thanks very much for your help i appreciate it!

Scott
Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Radius Fail-through and 802.1x Machine Authentication

Scott,

I work at Aruba, but I answer questions here in my own capacity.

I apologize: TAC is correct, along with its explanation.

The only way that this works is if you:

Enable Termination at the controller (make the controller terminate the EAP session with a certificate that is valid and trusted by both populations of clients).

According to TAC:

"802.1x pass through will NOT be supported. In this case a TLS tunnel is established between station and auth server. When the password failed authentication on one auth server, because the switch does not know the state of the tunnel, it cannot redirect the tunnel to another auth server. In order to tear down the tunnel, the switch has to send EAP-Failure to station. At this point it appears to the station that authentication already failed and it is up to the station to try again.

802.1x termination will be supported."

I tested in the lab, just like you, with the "Validate Server Certificate" option unchecked, and it will work like that, but it is an unacceptable security practice in any environment. Sorry for the mixup.

Just to make this even more complicated, the combination of Machine Authentication will not work with EAP termination on Windows IAS or Windows 2003 server. It does work on Juniper Odyssey or Freeradius, however.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: Radius Fail-through and 802.1x Machine Authentication

Hi Colin,

Thanks for the detailed explananation!

I had all the pieces of the puzzle but just couldn't put them together myself but you have done that for me.

now it all makes sense!

I appreciate your assistance with this one.

Scott
MVP
Posts: 777
Registered: ‎03-25-2009

Re: Radius Fail-through and 802.1x Machine Authentication



Just to make this even more complicated, the combination of Machine Authentication will not work with EAP termination on Windows IAS or Windows 2003 server. It does work on Juniper Odyssey or Freeradius, however.




Care to clarify what exactly you mean by this Colin? Surely it's possible to use machine auth with IAS?
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 21,260
Registered: ‎03-29-2007

Re: Radius Fail-through and 802.1x Machine Authentication




Yes, but not with termination at the controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: