Security

Reply
MVP
Posts: 3,015
Registered: ‎10-25-2011

802.1x master and master standby quetion

I was just configuring   master  and master stand by redundancy for a client

I was configuring the 802.1x

My virtual ip address is 192.168.10.10

Master 192.168.10.11

Master Standby 192.168.10.12

 

On the NPS i had on the radius client i had 192.168.10.10 for the WC i mean the virtual ip of the master and master standby

and well that didnt work... the controller was telling me that he could not find the aaa server.

 

I had to put 2 radius clients 192.168.10.11 and 192.168.10.12

 

Is this the correct way to do it?  or i should use the virtual ip address? if i should use the virtual ip address is there is something im missing?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: 802.1x master and master standby quetion

 

What do you have for the show ip radius 

 

(controller) #show ip radius nas-ip

RADIUS client NAS IP address = x.x.x.x

 

(controller) #show ip radius source-interface

Global radius client source IP address = x.x.x.x
Per-server client source IPv4 addresses:

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 3,015
Registered: ‎10-25-2011

Re: 802.1x master and master standby quetion

show ip radius nas-ip

RADIUS client NAS IP address = 192.168.10.10

(WC_Parlatino) #show ip radius source-interface

Global radius client source IP address = 0.0.0.0
Per-server client source IPv4 addresses:

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
pto
Contributor I
Posts: 21
Registered: ‎05-02-2013

Re: 802.1x master and master standby quetion

The default is delivering the mgmt interface as nas ip. Add the other nodes on the microsoft NAP server as clients. Add all nodes with different community strings. Make the strings REALLY strong.

 

Reg.

Peet

 

MVP
Posts: 3,015
Registered: ‎10-25-2011

Re: 802.1x master and master standby quetion

When you mean nodes do you mean the real ip addresses of the controllers? the master and the master stand by?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
pto
Contributor I
Posts: 21
Registered: ‎05-02-2013

Re: 802.1x master and master standby quetion

Ye. Not the virtual loopback. Real Ip, that is if your running with the default radius server config.

 You could specify what interface the package sould originate from. Just add both nodes with controller ip (or the originating vlan ip) to the NPS server.

 

Dont know where your located but here its the middle of the night. il respond in 4 hours if you got some more questions.

 

MVP
Posts: 3,015
Registered: ‎10-25-2011

Re: 802.1x master and master standby quetion

I already configured it that way

My question was if it was the correct way to configure it, or i should configure it in another way! :)

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
pto
Contributor I
Posts: 21
Registered: ‎05-02-2013

Re: 802.1x master and master standby quetion

yes. thats correct. There is ofcourse alot to think about when configuring 802.1x but your configuration so far is correct. Reg, Peet
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: 802.1x master and master standby quetion

 

I will suggest using the IP address your APs are not using to contact the controller , so if you have VRRP VIP and your APs use that to contact the controller I will use either the management VLAN IP address or the loopback for the radius source ip address.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
pto
Contributor I
Posts: 21
Registered: ‎05-02-2013

Re: 802.1x master and master standby quetion

Only thing to thinkabout is keeping the Radius requests in a backend LAN so they cant be captured.

Theres a weak cypher on the radius package that can be easely bruteforced. And deactivate the PAP \ mschap on the radius server. only use the mschapv2 nothing less than this. eaventho this also is weak.

Search Airheads
Showing results for 
Search instead for 
Did you mean: