Security

Reply
ssh
Occasional Contributor I
Posts: 5
Registered: ‎08-26-2012

Internal radius server authentication problem

Hi,

 

I am using two AP90s in virtual controller mode and I want my users to authenticate using the internal radius server of the ap's. Here is what I configured thus far:

 

- Enabled Dynamic Radius proxy

- Created a new network that is configured to use the internal radius server

- Created a user to test the settings

- Uploaded a server certificate (pfx), trusted postiveSSL wildcard certificate, that I also use for our webserver

- Uploaded a CA certificate (cer), a trusted addtrust certificate

 

I try to connect to the network using an XP SP3 client. I configured the following for the wireless network settings:

 

- WPA2+AES

- EAP type: PEAP

- verification method: EAP-MSCHAP v2

- configured it to not use the windows password and username, this seems to be fine, when I connect to the network it asks for a user name and password

 

Until here I am able to connect to the network, however as soon as I check the verify server certificate checkbox in the EAP-properties I am not able to connect to the network anymore. Every five seconds it asks for the username and password again.

 

I hope someone can help. Are there things I need to set? Do I for example need to use a domain name in the password an username box on the XP client when it asks for my credentials, or do I need to set a domain name in the virtual controller? Could it be a problem with the server certificate, or the ca certificate. Are there ways to troubleshout if that is the problem? Or does someone have other suggestions?

Guru Elite
Posts: 21,021
Registered: ‎03-29-2007

Re: Internal radius server authentication problem

[ Edited ]

If you have not already, try to connect with an iPhone and see the server certificate that is presented to the user and make sure it matches your uploaded cert.

 

WAIT... did you say a wildcard certificate?  Clients FREQUENTLY have issues with 802.1x when the server certificate is a wildcard.  I would get a temporary certificate just to confirm that is what is happening.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

ssh
Occasional Contributor I
Posts: 5
Registered: ‎08-26-2012

Re: Internal radius server authentication problem

Do you know if there are any test certificates available from which I can be sure that they work?

 

I also haven't set a domain name anywhere in the virtual controller settings, is that needed. I saw the enterprise domain option in the settings, but have left it blank.

 

Thanks

Guru Elite
Posts: 21,021
Registered: ‎03-29-2007

Re: Internal radius server authentication problem

[ Edited ]

Verisign used to have a 3 day cert. Not sure if they do anymore.

 

Yes, they do:  http://www.symantec.com/pop.jsp?popupid=try_a_ssl_certificate


.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Internal radius server authentication problem

[ Edited ]

Hello SSH

Do you have an interna CA? because if you do you could just  request for a new certificate for that server using computer templante certificate... and use that certificate...This certificate should not give you any issue in this deployment!

As all your domain computer trust the root that issue that certificate you should be all good to go...

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
ssh
Occasional Contributor I
Posts: 5
Registered: ‎08-26-2012

Re: Internal radius server authentication problem

I actually do not have an internal CA, I manually upload the certificates for use on the webserver etc. And the devices that are connecting to the wireless network are not part of a domain.

Guru Elite
Posts: 21,021
Registered: ‎03-29-2007

Re: Internal radius server authentication problem

Windows 7 devices in specific just don't like wildcard certificates for 802.1x http://www.mdmarra.com/2011/10/8021x-peap-nps-wildcard-certificates.html

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Internal radius server authentication problem

Well thats a good info thanks Collin! 

Its good to know that!

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
ssh
Occasional Contributor I
Posts: 5
Registered: ‎08-26-2012

Re: Internal radius server authentication problem

I think I'll just try a single domain certificate. Will a single domain certificate without company information be enough? Or do I need one that besides the domain validation also validates my company?

ssh
Occasional Contributor I
Posts: 5
Registered: ‎08-26-2012

Re: Internal radius server authentication problem

Just ordered a single domain certificate, used openssl to convert it, uploaded it, and it works like a charm! Thanks for all your tips, it saved me a lot of trouble, and the certificate only costs me $20,- for two years. Thanks!
Search Airheads
Showing results for 
Search instead for 
Did you mean: