08-18-2013 07:25 PM - edited 08-18-2013 07:35 PM
I'm having troubles getting my managers iPhone onto our wireless network. Our Aruba wireless is setup to use both machine and user authenticiation. Machine auth is enforced. The machine auth uses eap-tls terminated on a NPS server, and the user auth uses peap-mschap terminated on the same NPS (different network policy).
My plan to get the iPhone onto the network was to load my user certificate onto the phone, which I'd exported from my laptop, and to configure an eap-tls connection using the exported certificate. I was then going to drop the eap-tls connection, and reconnect using a peap-mschap connection to get into the user role (satisfying the machine auth enforcement requirement). I needed to use my user certificate because I wasn't able to export the private key attached to my machine certificate (certificate restriction). To get the NPS to accept my user certificate I needed to add my username to the security group against which the NPS checks for eap-tls auth. I was very hopeful that my managers iPhone would get successfully authenticated into the machine role but it didn't. The NPS logs showed that the NPS was happy with the authentication request, because it responded with an access accept, but the Aruba controller must do further checks. The auth trace log failed on the m-auth step.
I'm at a loss for why the controller/access point doesn't allow the iPhone when the NPS server accepts the auth attempt. Are there any reasons why a user certificate won't work for machine authentication when the identity from the certificate has been added to the group of identities which are allowed for machine auth. Could it be that a users certificate identity is in the <domainname>/<user> format, whereas a machine certificate has the format host/<hostname>. Does the access-accept message sent back to the controller from the NPS server (or is the access point that gets the access accept) contain the identity used for the auth, and if it doesn't match the format host/<hostname> it won't be allowed for machine auth?
08-22-2013 04:06 AM
Could it be that a users certificate identity is in the <domainname>/<user> format, whereas a machine certificate has the format host/<hostname>. Does the access-accept message sent back to the controller from the NPS server (or is the access point that gets the access accept) contain the identity used for the auth, and if it doesn't match the format host/<hostname> it won't be allowed for machine auth?
im not 100% sure, but i think it can be something like that. personally i would look for another solution, perhaps a SSID for devices that don't do machine auth.
08-22-2013 04:16 AM
You have quite a few layers of security that need to be unraveled to understand what is not working.
Let's start with the NPS server: Did you get the certificate on the iPhone? If you did, what is the NPS server message when it attempts to authenticate?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs