Security

Reply
New Contributor
Posts: 4
Registered: ‎11-11-2012

First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.

[ Edited ]

Hi,

 

We just got our first Aruba setup (1x 620 Controller and 4x 105 AP's) and I want to setup using Radius on one of our 2008 R2 servers.

 

We have our own windows domain (2008 R2 functional level).  

 

Now then, basic steps are pretty straight forward.

 

1, setup radius server and add the controller as a client.

 

2, setup the controller to use the Raduis server for auth requests.

 

3, add the licenses and AP's.

 

I haven't been able to find guide that runs through the procedure, and required Radius client settings.

 

Can anyone point me in the right direction? 

MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.

[ Edited ]

on what side? the radius server or the aruba controller? on the controller it is quite easy, just run the WLAN/LAN wizard and create a WPA2 enterprise secured network. on the Microsoft Radius side it is a little more complicated, but there are some resources about it.

 

this site gives a nice run through:

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

i attached a document i got from this site i believe. i would test it first on a seperate AD server to get the hang of it before trying it in production.

 

 

New Contributor
Posts: 4
Registered: ‎11-11-2012

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.

[ Edited ]

Hi,

 

Thanks for the quick reply and great information.  Server side setup is ok, but the Aruba side is where I have the questions.

 

I am guessing that I should just add the RADIUS server to it.

 

I have one other question though.


We have a guest network on VLAN 200 and I want to create a separate SSID for guests to use for simple internet access.

 

I have a Cisco Aironet 1130AG that I had confirgured a few years ago for this duty, but am now replacing with the Aruba setup.

 

With the Cisco, I just had to add the VLAN ID and then associate the SSID with that VLAN.

 

But the Aruba seems to do it a bit differently and I can't figure it out.

 

I tried to add a VLAN 200 on it, in the auth setting, selected default/none and assisned to the ports connecting to the APs and the uplink port.

 

But now I can't access the controller anymore!

MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.

yes you have to add the radius server on the controller, then put it in a server group and associate that server group with the aaa profile, you also need a dot1x profile to make sure authentication happens. it is really easier, certainly when starting with aruba, to go through the WLAN/LAN wizard and have it setup all these profiles for you. afterwards you can check the profiles to see how it all fits together.

 

the same WLAN/LAN wizard can be used to create the other network you want. with aruba you usually setup all the vlans you need on the controller (one VLAN per port or multiple VLANs on one port via a trunk) and then configure on the virtual AP profile the vlan you want the clients to end up in. you don't have to configure the VLAN towards the APs, in principle they build a tunnel to the controller and through that they can access what they need as long as they can reach the controller.

New Contributor
Posts: 4
Registered: ‎11-11-2012

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.

Hi,

 

Just a another quick question.

 

Is there a way to do this without installing certificate services?

 

My boss is pushing to do it without, but I was under the impression that for 802.1x client authentication that you need a CS server running.  My MS study also tells me this, but my boss is subborn.

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.


The_Don wrote:

Hi,

 

Just a another quick question.

 

Is there a way to do this without installing certificate services?

 

My boss is pushing to do it without, but I was under the impression that for 802.1x client authentication that you need a CS server running.  My MS study also tells me this, but my boss is subborn.


Quite frankly, you need a certificate server ONLY to issue a certificate to the radius server.  The certificate server is not a construct that is even used in any Active Directory function, so it does not affect anything that you are doing.  The main purpose is to issue a server certificate to the radius server that your clients will authenticate to.  The reason why you want to do this, is that if it is an Enterprise CA, your clients will automatically trust it and you will not have to (1) pay a 3rd party certification authority (2) figure out if your clients trust it or not (3) Deal with the complication of an intermediate certification authority.

 

It is really trivial.  Once the certificate is issued, the certificate authority service does not even have to be running until it is time to renew the radius server 802.1x (SSL) certificate..

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎11-11-2012

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.

Thanks for the quick reply.

 

He is worried about the side effects of installing an Enterprise CA on the domain for the client PC's.

 

I know we will need to set in GPMC the autoenroll for the default domain policy.

 

I think I will make a lab environment to confirm the process before doing it in the production environment.

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: First time Aruba user, setting up with 2008 R2 Radius authentication server advice wanted.


The_Don wrote:

Thanks for the quick reply.

 

He is worried about the side effects of installing an Enterprise CA on the domain for the client PC's.

 

I know we will need to set in GPMC the autoenroll for the default domain policy.

 

I think I will make a lab environment to confirm the process before doing it in the production environment.


I can tell you the side effects are NONE.  AD has its own internal mechanisms to function and installing a CA is completely separate from those.  You will not need to set GPMC for autoenrollment if you are using simple PEAP (username and password authentication).  Autoenrollement is for Client-Side (TLS) authentication which is not as prevalent as PEAP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: