Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎11-29-2012

Machine authentication on 3200 ArubaOS 6.1.2.3

Hey,

 

I've been fighting with setting up 802.1x on our wireless network the past few days.

 

I'm trying to authenticate systems and users via RADIUS (Server 2008 R2 IAS). Part of this solution is working. I am able to access my network using my windows domain user/password.

 

However, I'm not being assigned the correct role on the Aruba controller. It just gives me the guest role with the NoLocalAccess policy attached to it. I wrote that to be a quite strict policy so basicly all I can do is access internet through our gateway.

I'm getting these errors.

 

Nov 29 11:58:53localdb[1568]: <133019> <ERRS> |localdb| User 00:1d:e0:98:71:05 was not found in the database
Nov 29 11:58:53localdb[1568]: <133006> <ERRS> |localdb| User 00:1d:e0:98:71:05 Failed Authentication
Nov 29 11:58:54localdb[1568]: <133019> <ERRS> |localdb| User 00:1d:e0:98:71:05 was not found in the database
Nov 29 11:58:54localdb[1568]: <133006> <ERRS> |localdb| User 00:1d:e0:98:71:05 Failed Authentication
Nov 29 11:58:59authmgr[1565]: <124006> <WARN> |authmgr| {644} TCP srcip=10.1.1.76 srcport=4258 dstip=10.1.1.26 dstport=13000, action=deny, role=guest, policy=NoLocalAccess

 

So, what config have I set up?

I've got 2 User Roles: PurnaPC and PurnaUser. Both are set to the allowall/ firewall policy.

 

The RADIUS server is configured in a Server Group called ISA and has one rule applied.

  • Attribute: Class
  • Operation: value-of
  • Type: string
  • Action: set role

My 802.1X Authentication Profile (dot1x) has the following settings

  • Enforce Machine authentication: Enabled
  • Machine Auth: Default Machine Role: PurnaPC
  • Machine Auth: Default User Role: guest

Moving on to AAA profiles. My profile aaa_dot1x contains the following settings

  • Initial role: login (this was default)
  • MAC Authentication Default Role: PurnaPC
  • 802.1X Authentication Default Role: PurnaUser
  • The 802.1X authentication profile is set to the above dot1x
  • 802.1X Authentication server group: ISA

On that RADIUS server there are 2 Network Policies active. One is Wireless-PurnaPC and the other is Wireless-PurnaUser

The condition on Wireless-PurnaPC (processing order 1) is set to Domain Computers and is set to return the Class attribute PurnaPC. The condition on Wireless-PurnaUser (processing order 2) is Domain Users, this one is also set to return the Class attribute PurnaUser.

 

Can anybody tell me what I've done wrong or where I have to look? I've gone over the settings a thousand times and I'm beginning to feel quite lost.

Guru Elite
Posts: 19,949
Registered: ‎03-29-2007

Re: Machine authentication on 3200 ArubaOS 6.1.2.3

Uncheck "Enforce Machine Authentication" in the 802.1x profile.  Radius attributes are ignored when you have "Enforce Machine Authentication" checked UNLESS a device has passed both user AND machine authentication.  

 

There is no way to check BOTH the user and machine status from Windows 2008 server.

 

What are you trying to do?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 5
Registered: ‎11-29-2012

Re: Machine authentication on 3200 ArubaOS 6.1.2.3

The basic idea was to set up 802.1x. I started following the example described in the ArubaOS manual.

 

I've got it working now, apparantly I was using the wrong policies on the radius. Using a document I found in one of the other threads concerning 802.1x got my setup working.

Search Airheads
Showing results for 
Search instead for 
Did you mean: