Hey,
I've been fighting with setting up 802.1x on our wireless network the past few days.
I'm trying to authenticate systems and users via RADIUS (Server 2008 R2 IAS). Part of this solution is working. I am able to access my network using my windows domain user/password.
However, I'm not being assigned the correct role on the Aruba controller. It just gives me the guest role with the NoLocalAccess policy attached to it. I wrote that to be a quite strict policy so basicly all I can do is access internet through our gateway.
I'm getting these errors.
Nov 29 11:58:53 | localdb[1568]: <133019> <ERRS> |localdb| User 00:1d:e0:98:71:05 was not found in the database |
Nov 29 11:58:53 | localdb[1568]: <133006> <ERRS> |localdb| User 00:1d:e0:98:71:05 Failed Authentication |
Nov 29 11:58:54 | localdb[1568]: <133019> <ERRS> |localdb| User 00:1d:e0:98:71:05 was not found in the database |
Nov 29 11:58:54 | localdb[1568]: <133006> <ERRS> |localdb| User 00:1d:e0:98:71:05 Failed Authentication |
Nov 29 11:58:59 | authmgr[1565]: <124006> <WARN> |authmgr| {644} TCP srcip=10.1.1.76 srcport=4258 dstip=10.1.1.26 dstport=13000, action=deny, role=guest, policy=NoLocalAccess |
So, what config have I set up?
I've got 2 User Roles: PurnaPC and PurnaUser. Both are set to the allowall/ firewall policy.
The RADIUS server is configured in a Server Group called ISA and has one rule applied.
- Attribute: Class
- Operation: value-of
- Type: string
- Action: set role
My 802.1X Authentication Profile (dot1x) has the following settings
- Enforce Machine authentication: Enabled
- Machine Auth: Default Machine Role: PurnaPC
- Machine Auth: Default User Role: guest
Moving on to AAA profiles. My profile aaa_dot1x contains the following settings
- Initial role: login (this was default)
- MAC Authentication Default Role: PurnaPC
- 802.1X Authentication Default Role: PurnaUser
- The 802.1X authentication profile is set to the above dot1x
- 802.1X Authentication server group: ISA
On that RADIUS server there are 2 Network Policies active. One is Wireless-PurnaPC and the other is Wireless-PurnaUser
The condition on Wireless-PurnaPC (processing order 1) is set to Domain Computers and is set to return the Class attribute PurnaPC. The condition on Wireless-PurnaUser (processing order 2) is Domain Users, this one is also set to return the Class attribute PurnaUser.
Can anybody tell me what I've done wrong or where I have to look? I've gone over the settings a thousand times and I'm beginning to feel quite lost.
#3200