Security

I have two issues that I am hoping to get some help for. I have set up a RADIUS server through Windows Server 2012, and changed my Aruba IAPs to authenticate through it. That part is working.

 

• The first issue is one of certificates. I installed the certificate services on Windows Server, but I don't know how to associate a certificate with my Aruba system. So, when users log on it displays "this is not a trusted network..." but if they click "yes" it lets them on.
• The second issue is Apple products. Since they aren't on the domain, RADIUS is not letting them authenticate, even when they manually enter their AD credentials.

 

I hope these two issues are somehow related, and I appreciate any help the community can offer.

 

Thanks!

1) In your policies in NPS, specify an authentication type of EAP-PEAP and
it will allow you to select the cert to use.

2) sounds like you only have Domain Computers in your access policy in
NPS. Add another specific user group or you can use Domain Users to allow
everyone.

Thanks for the reply, Tim.

 

I am new to NPS, and am wondering if you can walk me through this in a little bit more detail. I have my Network Policy Server dialog/snap-in open now. On the left menu it has

>RADIUS clients and servers

>Policies

>Network access protection

>Accounting

>Templates management

 

• In RADIUS clients and servers, I have added the Aruba management IP as well as all of the IPs of my access points (is this correct?)
• Under Policies, there are three options Connection Request Policies, Network Policies, and Health Policies

1. Under Connection Request Policies I have two policies, Secure Wireless Connections, and Use Windows Authentication for All Users
2. Under Network Policies I have Secure Wireless Connections and one I just created based on your reply that is called Domain Users under which I have a condition that allows all domain user groups access (I think).

So do I need to have this second policy that allows domain user groups, or can I just add it as a condition to my existing policy?

 

 

 

 

You should make a second policy and add the Domain Users group. If you ever add policies in the future, you'll probably want them above Domain Users since all users tend to be in that group and it will trump the others if its at the top.

 

 

More details on configuration:

 

You should have a connection request policy for each 802.1x authenticator type (controller, IAP, switch).

In that connection request policy, you should add conditions that are unique to those devices such as NAS IP or NAS Identifier (both are sent by the authenticator device).

 

When you set the EAP type in the Connection Request Policy and click the override network policy authentication settings checkbox, this EAP type will trump those set in individual network policies (where you will classify users by group). I would suggest doing this as it will make configuration a bit quicker (you don't have to set it on each individual policy).

 

For EAP type, select  Microsoft: Protected EAP (PEAP) and then select your cert from the drop down.

 

 

 

Now you can go into the Network Policies and create conditions based on groups. (You can create a single policy with multiple groups, but it is generally easier to do individual ones for troubleshooting / deciphering logs).

For example:

 

Policy 1: IT Staff

Conditions > User Groups = DOMAIN\Domain Admins

Settings > RADIUS Attributes > Standard > Filter-id = itstaff

 

Policy 2: All Domain Users

Conditions > User Groups = DOMAIN\Domain Users

(it will default to allow access if nothing else is set)

 

 

 

 

Tim,

 

Thanks so much for your help!

 

So, under Policies > Connection Request Policies, I have two policies (see screenshot above)

 

1. Secure Wireless Connections

2. Use Windows authentication for all users

 

Under Secure Wireless Connections, under settings and Authentication Methods, I should check the Override box, add Microsoft PEAP, and click Edit. Now I have two choices for certificate, SERVER.DOMAIN.NET and DOMAIN-SERVER-CA. Which should I use?

 

Should I do the same for Use Windows authentication for all users?

 

 

Sounds like you want the SERVER.DOMAIN.NET. This cert will be presented to the client and the user will click to accept it.

Hi Tim,

 

Okay, so is the Connection Request Policies area where I add Domain Users as a condition (right now all that is there is NAS Port Type --- Wireless - IEEE802.11)

 

Or, do I add it under Network Policies, where it currently is?

Network Policies.

 

The Connect Request Policies are more of a "categorize the request" polciies, whereas the Network Policies are to make policy decisions based on the account.

Thanks, Tim.

 

So if I have PEAP enabled, do I need to check any of the methods under "Less secure authentication methods?"

 

Remember I am trying to make it so that both Windows and Mac devices can authenticate (they all have domain accounts).

 

If EAP-MSCHAP v2 is selected under the Protection EAP (PEAP) options, then you do not need any of the "less secure options".

 

And did you say that my "Doman Users" policy should be processing order 1, over Secure Wireless Connections?

It should be ordered most specific to least specific. What is the condition set in "Secure Wireless Connections"?

Hi Tim,

 

The condition on "Secure Wireless Connection" is NAS Port Type

I would put the new policy above that one.

I am having a heck of a time here. I have checked and double checked my settings on NAP, and I cannot authenticate from my Windows AD-joined machine.

 

First, it says "Windows cannot verify this server's identity" (certificate issue), and I choose "connect anyway"

 

It asks for my credentials, I input my domain/user credentials, and it says "Windows cannot connect to this network". 

 

--On the NPS server--

 

Under Connection Request properties and the conditions tab, I have NAS-Port Type Wireless 802.11

 

In this same policy, under the settings tab, I have the override box checked, and Microsoft PEAP with a certificate of Servername.domain.net and protection mode as Secured Password (EAP-MSCHAPv2)

 

Under Network Policies, I have a policy called "All Domain Users" with a condition of "User Groups, DOMAIN\Domain Users" and have verified that my AD account is part of that user group.

 

In this same policy, under the constraints tab, I have Microsoft PEAP with a certificate of Servername.domain.net and protection mode as Secured Password (EAP-MSCHAPv2)

 

I'm not sure what is going on. Can you think of anything else I can check?

 

 

---

@Megacles wrote:

I am having a heck of a time here. I have checked and double checked my settings on NAP, and I cannot authenticate from my Windows AD-joined machine.

 

First, it says "Windows cannot verify this server's identity" (certificate issue), and I choose "connect anyway"

 

It asks for my credentials, I input my domain/user credentials, and it says "Windows cannot connect to this network". 

 

--On the NPS server--

 

Under Connection Request properties and the conditions tab, I have NAS-Port Type Wireless 802.11

 

In this same policy, under the settings tab, I have the override box checked, and Microsoft PEAP with a certificate of Servername.domain.net and protection mode as Secured Password (EAP-MSCHAPv2)

 

Under Network Policies, I have a policy called "All Domain Users" with a condition of "User Groups, DOMAIN\Domain Users" and have verified that my AD account is part of that user group.

 

In this same policy, under the constraints tab, I have Microsoft PEAP with a certificate of Servername.domain.net and protection mode as Secured Password (EAP-MSCHAPv2)

 

I'm not sure what is going on. Can you think of anything else I can check?

 

 

---

Megacles,

 

Try this:

 

On the Windows client WLAN configuration, try to Uncheck "Validate Server Certificate" under PEAP and see if it works...

 

If it does, we can take it in a specific direction after that.

Also take a look in event viewer and see if the request is there.

 

Event Viewer > Custom Views > Server Roles > Network Policy and Access Services

 

Thank you both for your help.

 

I unchecked the "verify certificate" option in PEAP and it just skips to "Windows Cannot Connect to this Network" after putting in my AD credentials.

 

Here is a screenshot of my event log. Nothing unusual--everything says that Windows granted access.

 

I would open a support case.  There are too many ways that this could be misconfigured and failing.

 

This thread could last forever with people guessing and you would just lose interest and quit.

 

Please open a support case.

Okay, thanks.

 

I can't open a support case without purchasing Aruba Care, correct?

 

(I replied to your PM, BTW).

capalli and cjoseph:

 

 

Thank you both for your help. I had termination enabled on the security settings of the Aruba system, which, I guess didn't let the authentication packets pass through to the RADIUS server. Once I set it to disabled, things started working.

 

D'OH!

 

Again, thanks!

Aha! It's always those buried check boxes. Glad you got it working.