Security

Reply
New Contributor
Posts: 4
Registered: ‎11-07-2014

802.1x novell eap

Hi,

 

Has anyone been able to get Novell client on Windows laptop (wireless) to authenticate back to NPS? The NPS rejects the authentication saying user credentials mismatch.

Here is the thing I don't understand: 
If I disable Novell's 802.1X authentication, and use Windows' MSCHAP v2, I can log on wireless. Once Novell's 802.1X is enabled, it fails - immediate failed authentication.
Checking "validate server certificate" in the wireless profile has no effect. It fails authentication with Novell client, but works on Windows client.
On another wireless system (trapeze) we have, I can login wireless with Novell client successfully.

On Android phones, authentication works as long you select MSCHAP v2 for phase 2 authentication.

I am using Windows 7 (64 enterprise) with Novell client 2 SP3. 
We have FreeRadius proxies running version 2.1.1
The backend NPS servers are running Windows 2012 R2 standard and the have certificates installed.
We have a pair of 7030 mobility’s and a pair of 7210 controllers. All of our APs are AP-225 
On a user who has authenticated without Novell client, NPS shows EAP Type: Microsoft: Secured Password (EAP-MSCHAP v2).
On a user who failed authentication with Novell client, NPS shows EAP Type: -. reason code 16.
When authentication fails with Novell, it does match the correct Connection Request policy name and Network policy name.

What is causing the Novell client to fail? 
I'm pretty sure I'm missing other info, so let me know what else is needed.

Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: 802.1x novell eap

[ Edited ]

What type of password hash are you using in Novell? If its the default hash, you cannot use EAP-PEAP (non-reversible). You would need to use EAP-PEAP-GTC which provides support for more hash types but unfortunately requires a client for Windows and Mac devices.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 4
Registered: ‎11-07-2014

Re: 802.1x novell eap

I'm not sure what password is being used in Novell. I would imagine if that was the problem, I wouldn't be able to authenticate on another wireless system.

 

After speaking to a few other people, it seems that it's possible that the FreeRadius proxy -> NPS could be at fault. It is a newer system compared to the other wireless system.

Arnab told me the EAP is transparent. Is there anything I could look from the Aruba side to what is going on? The debug on Novell client said about eapol undefined. 


 

 

 

Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: 802.1x novell eap


tim_c wrote:

Hi,

 

Has anyone been able to get Novell client on Windows laptop (wireless) to authenticate back to NPS? The NPS rejects the authentication saying user credentials mismatch.

Here is the thing I don't understand: 
If I disable Novell's 802.1X authentication, and use Windows' MSCHAP v2, I can log on wireless. Once Novell's 802.1X is enabled, it fails - immediate failed authentication.
Checking "validate server certificate" in the wireless profile has no effect. It fails authentication with Novell client, but works on Windows client.
On another wireless system (trapeze) we have, I can login wireless with Novell client successfully.

On Android phones, authentication works as long you select MSCHAP v2 for phase 2 authentication.

I am using Windows 7 (64 enterprise) with Novell client 2 SP3. 
We have FreeRadius proxies running version 2.1.1
The backend NPS servers are running Windows 2012 R2 standard and the have certificates installed.
We have a pair of 7030 mobility’s and a pair of 7210 controllers. All of our APs are AP-225 
On a user who has authenticated without Novell client, NPS shows EAP Type: Microsoft: Secured Password (EAP-MSCHAP v2).
On a user who failed authentication with Novell client, NPS shows EAP Type: -. reason code 16.
When authentication fails with Novell, it does match the correct Connection Request policy name and Network policy name.

What is causing the Novell client to fail? 
I'm pretty sure I'm missing other info, so let me know what else is needed.


Tim_c,

 

You mention NPS and Freeradius and it is not clear how you have either configured.  You mention that it is working on Trapeze.  The only thing you might want to do is to make sure that you do NOT have "termination" enabled in the 802.1x profile of the Aruba controller.

 

You said it works with Trapeze.  Which radius server (NPS or Freeradius) did you have Trapeze pointing to?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎11-07-2014

Re: 802.1x novell eap

Hi,


I have checked and termination is not ticked. 

 

In regards to the confguration, here is what we have -

Freeradius is a proxy to the NPS.

Aruba -> Freeradius -> NPS


On a seperate system we have:
Trapeze -> Freeradius (older version, different box)  -> IAS 

I can think of three things:

-certificate or trust issue

-Freeradius is misconfigured

-NPS is misconfigured
It doesn't make sense why I can authenticate with just the windows client with or without certificate.



Guru Elite
Posts: 20,575
Registered: ‎03-29-2007

Re: 802.1x novell eap

Why not point the Aruba Controller to the older version of Free radius for complete parity with the trapeze?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎11-07-2014

Re: 802.1x novell eap

Hi,

 

Pointing to the old system, Novell client via wireless works.

 

AP-225 -> FreeRadius 1.1.7 -> Win 2003 OK

AP-225 -> FreeRadius 2.1.1 -> Win 2012 Fail

 

One of Novell's docs says do not use Win 2008 but use FreeRadius as backend.

When I find more info, I'll post back.

Search Airheads
Showing results for 
Search instead for 
Did you mean: