Security

Reply
Contributor I
Posts: 20
Registered: ‎08-24-2013

Microsoft RADIUS; CA; Apple products

I have two issues that I am hoping to get some help for. I have set up a RADIUS server through Windows Server 2012, and changed my Aruba IAPs to authenticate through it. That part is working.

 

  • The first issue is one of certificates. I installed the certificate services on Windows Server, but I don't know how to associate a certificate with my Aruba system. So, when users log on it displays "this is not a trusted network..." but if they click "yes" it lets them on.
  • The second issue is Apple products. Since they aren't on the domain, RADIUS is not letting them authenticate, even when they manually enter their AD credentials.

 

I hope these two issues are somehow related, and I appreciate any help the community can offer.

 

Thanks!

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Microsoft RADIUS; CA; Apple products

1) In your policies in NPS, specify an authentication type of EAP-PEAP and
it will allow you to select the cert to use.

2) sounds like you only have Domain Computers in your access policy in
NPS. Add another specific user group or you can use Domain Users to allow
everyone.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 20
Registered: ‎08-24-2013

Re: Microsoft RADIUS; CA; Apple products

[ Edited ]

Thanks for the reply, Tim.

 

I am new to NPS, and am wondering if you can walk me through this in a little bit more detail. I have my Network Policy Server dialog/snap-in open now. On the left menu it has

>RADIUS clients and servers

>Policies

>Network access protection

>Accounting

>Templates management

 

  • In RADIUS clients and servers, I have added the Aruba management IP as well as all of the IPs of my access points (is this correct?)
  • Under Policies, there are three options Connection Request Policies, Network Policies, and Health Policies
  1. Under Connection Request Policies I have two policies, Secure Wireless Connections, and Use Windows Authentication for All Users
  2. Under Network Policies I have Secure Wireless Connections and one I just created based on your reply that is called Domain Users under which I have a condition that allows all domain user groups access (I think).

So do I need to have this second policy that allows domain user groups, or can I just add it as a condition to my existing policy?

 

1.jpg

 2.jpg

 

 

3.jpg

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Microsoft RADIUS; CA; Apple products

[ Edited ]

You should make a second policy and add the Domain Users group. If you ever add policies in the future, you'll probably want them above Domain Users since all users tend to be in that group and it will trump the others if its at the top.

 

 

More details on configuration:

 

You should have a connection request policy for each 802.1x authenticator type (controller, IAP, switch).

In that connection request policy, you should add conditions that are unique to those devices such as NAS IP or NAS Identifier (both are sent by the authenticator device).

 

When you set the EAP type in the Connection Request Policy and click the override network policy authentication settings checkbox, this EAP type will trump those set in individual network policies (where you will classify users by group). I would suggest doing this as it will make configuration a bit quicker (you don't have to set it on each individual policy).

 

For EAP type, select  Microsoft: Protected EAP (PEAP) and then select your cert from the drop down.

 

 

 

Now you can go into the Network Policies and create conditions based on groups. (You can create a single policy with multiple groups, but it is generally easier to do individual ones for troubleshooting / deciphering logs).


For example:

 

Policy 1: IT Staff

Conditions > User Groups = DOMAIN\Domain Admins

Settings > RADIUS Attributes > Standard > Filter-id = itstaff

 

Policy 2: All Domain Users

Conditions > User Groups = DOMAIN\Domain Users

(it will default to allow access if nothing else is set)

 

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 20
Registered: ‎08-24-2013

Re: Microsoft RADIUS; CA; Apple products

Tim,

 

Thanks so much for your help!

 

So, under Policies > Connection Request Policies, I have two policies (see screenshot above)

 

1. Secure Wireless Connections

2. Use Windows authentication for all users

 

Under Secure Wireless Connections, under settings and Authentication Methods, I should check the Override box, add Microsoft PEAP, and click Edit. Now I have two choices for certificate, SERVER.DOMAIN.NET and DOMAIN-SERVER-CA. Which should I use?

 

Should I do the same for Use Windows authentication for all users?

 

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Microsoft RADIUS; CA; Apple products

Sounds like you want the SERVER.DOMAIN.NET. This cert will be presented to the client and the user will click to accept it.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 20
Registered: ‎08-24-2013

Re: Microsoft RADIUS; CA; Apple products

Hi Tim,

 

Okay, so is the Connection Request Policies area where I add Domain Users as a condition (right now all that is there is NAS Port Type --- Wireless - IEEE802.11)

 

Or, do I add it under Network Policies, where it currently is?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Microsoft RADIUS; CA; Apple products

Network Policies.

 

The Connect Request Policies are more of a "categorize the request" polciies, whereas the Network Policies are to make policy decisions based on the account.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 20
Registered: ‎08-24-2013

Re: Microsoft RADIUS; CA; Apple products

Thanks, Tim.

 

So if I have PEAP enabled, do I need to check any of the methods under "Less secure authentication methods?"

 

Remember I am trying to make it so that both Windows and Mac devices can authenticate (they all have domain accounts).

 

4.jpg

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Microsoft RADIUS; CA; Apple products

If EAP-MSCHAP v2 is selected under the Protection EAP (PEAP) options, then you do not need any of the "less secure options".

 

peap-nps.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: