Security

Reply
MVP
Posts: 1,394
Registered: ‎05-28-2008

802.1x in front of token USB.

Hi AirHeads Forum.

I'am deploying those days controller in front of radius (windows 2003).

I added as normal the radius and build 802.1x auth server group + added the right AAA profile to the vap.

(when testing auth u&p in AAA-test everything working gr8)

the client in this origination using USB token (that got the cert on it).

I dunno what i'am doing wrong - but client keep stuck in validating identity .

 

Anyone here got advises?

 

Please S.O.S

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: 802.1x in front of token USB.

Can you verify what authentication type the IAS server is using?   If you can to a AAA test server successfully, you know the radius communicaiton is functioning, but it seems as though either the client is not configured to use EAP-TLS or no matching radius policy on IAS is setup to use EAP-TLS.    Looking at the System Event log on the IAS server at the time of authentication should give you some information about the logon attempt/failure.   Can you share that?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,394
Registered: ‎05-28-2008

Re: 802.1x in front of token USB.

1. We’re using only MS-CHAP v2 authentication.

2. We have a progress and currently we’re getting the following errors on the RADIUS server: Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 7/2/2012 Time: 11:59:33 AM User: N/A Computer: RINGMASTER Description: User Adi-g@orbotech.org was denied access. Fully-Qualified-User-Name = orbotech.org/ORB/ISL/Adi Gamliel NAS-IP-Address = 172.23.17.60 NAS-Identifier = aubra-master Called-Station-Identifier = 000B866DCC3C Calling-Station-Identifier = 00166F3F1BE1 Client-Friendly-Name = Aruba Client-IP-Address = 172.23.17.60 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 0 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Aruba 3600 Adi Authentication-Type = EAP EAP-Type = Reason-Code = 22 Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 .... €

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: 802.1x in front of token USB.

I think that is where the confusion is.   In your original post, you mention using certificates on the USB device.   Using certificates means using EAP-TLS, not MS-CHAP v2.   The "Reason Code" in your evcen tlog indicates a mismatch in teh EAP type.   For example, the client is trying to use a certificate (EAP-TLS), but the IAS policy only supports  PEAP-MSCHAP v2 or something else.   

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: