Security

Reply
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

802.1x with internal db and Radius server

Hi,

 

We have setup dot 1x authentication using ldap server. We also want to add internal db in the server group so users which are on internal db can also be authenticated using dot1x. Is it possible? I tried to enable termination on aruba controller but then it doesn't authenticate clients using Radius server.

 

We need an ssid which can authenticate users both on Radius server and user on internal db.

 

Please advise.

MVP
Posts: 4,002
Registered: ‎07-20-2011

Re: 802.1x with internal db and Radius server

[ Edited ]

edit

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 19,945
Registered: ‎03-29-2007

Re: 802.1x with internal db and Radius server

If you have a radius server that is pointing to LDAP and it is working, that means you have a server certificate on the radius server that your clients trust.  To put local users on the controller and enable termination, you need to issue a server certificate to the controller that your clients ALSO trust.  Have you issued a server certificate to the controller and referenced it in the 802.1x profile on the controller?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: 802.1x with internal db and Radius server

No I haven't tried that.

Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: 802.1x with internal db and Radius server

How I can make the server to issue a certificate to controller?

Guru Elite
Posts: 19,945
Registered: ‎03-29-2007

Re: 802.1x with internal db and Radius server

If you have 802.1x working on your radius server you must have a certificate authority that issued it a server certificate.  You just need to have that Certificate Authority (CA) issue the Aruba controller a Server certificate to terminate EAP requests.  

 

Quite frankly, it is not worth the effort of issuing a server certificate for a controller just to authenticate local users on the controller.  It would be easier to find a way to put users on the Radius server locally or in LDAP/.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: 802.1x with internal db and Radius server

Yes you are right.

 

I will setup guest users in AD.

One more quick question. I have created server group and I have setup NAS ID so that on my NPS server I can create rule and that NAS ID when carried into packets should be matched only against the rule which has NAS PORT ID attribute setup on NPS. But this is not happening. Request move on to next rule (which is to authenticate students with different NAS ID from controller) and authenticate a user on the SSID where it should not. Suppose it is authenticating student user on staff SSID.

 

Any ideas?

Guru Elite
Posts: 19,945
Registered: ‎03-29-2007

Re: 802.1x with internal db and Radius server

The NAS ID and the NAS port ID are not the same thing.  If you configure a NAS-ID on the controller, your rule on NPS should have a NAS-ID that is matching, as well.  On the NPS server, go into the eventviewer Under Server Roles and NPS to see the contents of the incoming request to see what is wrong.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor I
Posts: 72
Registered: ‎03-21-2013

Re: 802.1x with internal db and Radius server

Yes I am going through the logs and nothing is obvious. It was working alright 2 hours ago. I was creating a new ssid and created a new nps rule according new ssid. But as the new rule is below the old rule, it has started to authenticate users based on the new rule as well on the previous SSID. :(

 

Don't know how :(

Guru Elite
Posts: 19,945
Registered: ‎03-29-2007

Re: 802.1x with internal db and Radius server

Your most specific NPS rule needs to be first.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: