Security

Reply
Contributor II
Posts: 54
Registered: ‎09-27-2012

802.1X terminated at controller w/ Win2k8 NPS as Radius

Hello, I'm hoping someone can help me out as I'm fairly new to Aruba, and I'm stuck.

 

I am trying to setup 802.1x on an Aruba 3600.  Because Aruba does not support fail-over for multiple servers with 802.1x, I have to terminate the 802.1x on the controller, and then pass the credentials to my windows servers.  I have a public certification from godaddy that I have installed on the controller, however, users are still getting errors...

 

Radius Server:           *******
Root CA:                    http://www.valicert.com/

The server "*******" presented a valid certificate issued by "http://www.valicert.com/", but "http://www.valicert.com/"....

 

Is there anywhere I can find step by step instructions on setting up an Aruba controller with a public cert for 802.1x termination on the controller, and authentication on a windows server 2008 box? 

 

I hope I am making sense here, my frustration is currently blinding.

 

 

 

 

 

 

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
Guru Elite
Posts: 20,816
Registered: ‎03-29-2007

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

[ Edited ]

1st problem:

 

When you say fail-over, do both servers have users in the same domain?  If that is the case, you do not need termination.  You only need termination if you want to do fail-through, which is used when you have two servers in different domains, serving up different sets of users.  Fail through is used to detect when there is a negative hit due to bad username/password and then moves on to the next server.  if both servers are in the same domain, disable fail-through, because if a users fails authentication on the first server, he will certainly fail on the second, but there will be a considerable delay.

 

 

2nd problem:

 

The users who want to authenticate via 802.1x need to have valicert root CA and any intermediate certificates installed in their Trusted Root Store.  I'm sure Valicert will give you those certificates. 

 

How to install those certificates into the trusted root store of your clients:  http://technet.microsoft.com/en-us/library/cc754841.aspx

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

Hello i got a question for you

What do you mean when you say "Because Aruba does not support fail-over for multiple servers with 802.1x"

 

Do you mean that aruba does not support fail over for example

Let say i got 2 NPS which are my radius and one die  it wont fail over to the secundary

 

Because is that you mean you can put a secondary server and when one fails it will fail over to the other... I have got that scenario working on a client which 2 NPS and if one fail the other will take over the authentications.   Like a redundacy

 

If im confused and you mean something else then correct me please

 

As far i know you terminete the 80.21x on the controller when the radius server is on another remote site to improve performance.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 54
Registered: ‎09-27-2012

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

OK, so I was misunderstood.  I was reading "fail-through" to mean the same as radius redundancy. 

 

We've decided to not terminate 802.1x on the controller, but to get certificates on for the NPS server.  I generated a CSR from my NPS server, and I got the certs from Godaddy.  I then installed the certificate to the server, however, users are still reporting that they are getting this:

 

The server "xxx" presented a valid certificate issued by "Go Daddy Class 2 Certification Authority", but "Go Daddy Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server "xxx" is not configured as a valid NPS server to connect to for this profile.

 

What am I doing wrong here :(  I'm new to aruba, but not to wireless.

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

There a manual of it

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/td-p/14392

 

Check it out... maybe this help you?  its step by step!

thats if you want to configure PEAP EAP

 

And this is how you correctly configure EAP PEAP clients

 

http://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/td-p/43398

 

If you want the highest security you will have to configure EAP TLS but you need certificate on all the clients....

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 54
Registered: ‎09-27-2012

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

I followed that manual pretty closely (except I'm using a public cert from Godaddy).

 

I imported the intermediate cert to the intermediate cert store, and i installed the other cert into IIS.  I select it in NPS, yet i'm still getting....

 

presented a valid certificate issued by "Go Daddy Class 2 Certification Authority", but "Go Daddy Class 2 Certification Authority" is not configured as a valid trust anchor for this profile.

 


To further test the issue, I binded the cert to a https site on the same server, and I'm still getting an untrusted cert warning in my browser.  I guess I need to call Godaddy or something.

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

[ Edited ]

Okay

did you buy the certificate of godaddy? you need to buy a certificate for this... there is a special certificate for this... you can ask the sales man of godady i guess so they can sell you the correct one for 802.1x which willl work on a microsoft nps server and well you will use it for peap eap

That certificate you bough did you installed it on the server whichi s the NPS?

you should install that certificate on nps server on personal cert store

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

[ Edited ]

You need to buy a Cert from godaddy

Now that cert from godaddy goes in the personal cert storage...

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

[ Edited ]

Okay i missed this part

"The server "xxx" presented a valid certificate issued by "Go Daddy Class 2 Certification Authority", but "Go Daddy Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server "xxx" is not configured as a valid NPS server to connect to for this profile."

 

Also you said

"imported the intermediate cert to the intermediate cert store, and i installed the other cert into IIS"

 

I apologize i was doing fast reading through my cellphone.

 

Im assuming you were putting Go Daddy Class 2 Certification Authority cert on the intermediate certification authority  storage

That root certificate does not belong to that cert storage...

It belongs to

certautgodady.png

 

And It belongs to the third party root certification autoritesCertAuthoGodaddy

 

I allready know you know this but you should make sure you see this on the truested root certiication authorites in the client... and also well mark it as the one you are using  to validate that certificate that the server is showing you to prove he is the correct server you are connecting with...

And well to install those certificates you just go to the mmc console add the snap in of the certificates clicks on computer and go to the store and on certificates you right click and click import and well then you browse the certificate.

Here you got the cert if you dont have it

http://www.adelaide.edu.au/its/wireless/support/faq/?template=print

Just scroll down you will see it

 

 

Anyways after that you should see the cert authority on the list...

Guess you already put the certificate you gto from godaddy on your personal storage on your server ( i mean the public key of your server signed by Godaddy private key) and you already configured the connection request policy and also the network policy as well  with the PEAP EAP selecting the certificate you got from godaddy...

 

After that you should be working fine...

 

hope this helps

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 54
Registered: ‎09-27-2012

Re: 802.1X terminated at controller w/ Win2k8 NPS as Radius

When you buy an SSL cert from godaddy, you get your cert, as well as an intermediary cert. 

 

I installed the root cert via IIS (complete cert request), but before doing that, I inserted the intermediate sert into my intermediate cert authority, however, the cert is still coming up as untrusted.  I am literally at my wits end :(

Solutions Engineer
CWNA-CWDP-ACMP-ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: