08-24-2013 09:55 AM
I have two issues that I am hoping to get some help for. I have set up a RADIUS server through Windows Server 2012, and changed my Aruba IAPs to authenticate through it. That part is working.
- The first issue is one of certificates. I installed the certificate services on Windows Server, but I don't know how to associate a certificate with my Aruba system. So, when users log on it displays "this is not a trusted network..." but if they click "yes" it lets them on.
- The second issue is Apple products. Since they aren't on the domain, RADIUS is not letting them authenticate, even when they manually enter their AD credentials.
I hope these two issues are somehow related, and I appreciate any help the community can offer.
Solved! Go to Solution.
08-24-2013 10:07 AM
it will allow you to select the cert to use.
2) sounds like you only have Domain Computers in your access policy in
NPS. Add another specific user group or you can use Domain Users to allow
08-26-2013 08:59 AM - edited 08-26-2013 09:03 AM
Thanks for the reply, Tim.
I am new to NPS, and am wondering if you can walk me through this in a little bit more detail. I have my Network Policy Server dialog/snap-in open now. On the left menu it has
>RADIUS clients and servers
>Network access protection
- In RADIUS clients and servers, I have added the Aruba management IP as well as all of the IPs of my access points (is this correct?)
- Under Policies, there are three options Connection Request Policies, Network Policies, and Health Policies
- Under Connection Request Policies I have two policies, Secure Wireless Connections, and Use Windows Authentication for All Users
- Under Network Policies I have Secure Wireless Connections and one I just created based on your reply that is called Domain Users under which I have a condition that allows all domain user groups access (I think).
So do I need to have this second policy that allows domain user groups, or can I just add it as a condition to my existing policy?
08-26-2013 09:14 AM - edited 08-26-2013 09:50 AM
You should make a second policy and add the Domain Users group. If you ever add policies in the future, you'll probably want them above Domain Users since all users tend to be in that group and it will trump the others if its at the top.
More details on configuration:
You should have a connection request policy for each 802.1x authenticator type (controller, IAP, switch).
In that connection request policy, you should add conditions that are unique to those devices such as NAS IP or NAS Identifier (both are sent by the authenticator device).
When you set the EAP type in the Connection Request Policy and click the override network policy authentication settings checkbox, this EAP type will trump those set in individual network policies (where you will classify users by group). I would suggest doing this as it will make configuration a bit quicker (you don't have to set it on each individual policy).
For EAP type, select Microsoft: Protected EAP (PEAP) and then select your cert from the drop down.
Now you can go into the Network Policies and create conditions based on groups. (You can create a single policy with multiple groups, but it is generally easier to do individual ones for troubleshooting / deciphering logs).
Policy 1: IT Staff
Conditions > User Groups = DOMAIN\Domain Admins
Settings > RADIUS Attributes > Standard > Filter-id = itstaff
Policy 2: All Domain Users
Conditions > User Groups = DOMAIN\Domain Users
(it will default to allow access if nothing else is set)
08-26-2013 09:43 AM
Thanks so much for your help!
So, under Policies > Connection Request Policies, I have two policies (see screenshot above)
1. Secure Wireless Connections
2. Use Windows authentication for all users
Under Secure Wireless Connections, under settings and Authentication Methods, I should check the Override box, add Microsoft PEAP, and click Edit. Now I have two choices for certificate, SERVER.DOMAIN.NET and DOMAIN-SERVER-CA. Which should I use?
Should I do the same for Use Windows authentication for all users?
08-26-2013 09:49 AM
Sounds like you want the SERVER.DOMAIN.NET. This cert will be presented to the client and the user will click to accept it.
08-26-2013 09:52 AM
Okay, so is the Connection Request Policies area where I add Domain Users as a condition (right now all that is there is NAS Port Type --- Wireless - IEEE802.11)
Or, do I add it under Network Policies, where it currently is?
08-26-2013 10:07 AM
The Connect Request Policies are more of a "categorize the request" polciies, whereas the Network Policies are to make policy decisions based on the account.
08-26-2013 10:10 AM
So if I have PEAP enabled, do I need to check any of the methods under "Less secure authentication methods?"
Remember I am trying to make it so that both Windows and Mac devices can authenticate (they all have domain accounts).
08-26-2013 10:15 AM
If EAP-MSCHAP v2 is selected under the Protection EAP (PEAP) options, then you do not need any of the "less secure options".