Security

Hi,

 

I Hope you can help me with this problem, I'm starting to use Aruba authenticating to the active directory via RADIUS Server on a Win 2008 R2.

it is working perfect, the OU or group I select are the only ones capable of connecting to the wireless network, but we have one small problem:

When a user domain password expires, he can't change the password (it shows no option for this), it only says that username or password is wrong. there's no option for those users to renew their passwords.

the RADIUS server is not the Domain Controller, they are different servers on the same LAN, I don't know if this is the problem and the radius has to be the controller too.

another problem, probably related to the first one, is that users are not downloading the domain policies (for example, notification that the password is about to expire policy, or wallpaper policy).

I believe that this problem is because before login in to the domain, the computers don't have user, and because of that, they are not logged into the wireless network (because it needs the login information (user and password). So it starts session with the cache user name and password. Therefore it doesn't download policies, etc. Then, after the password expires, the computer is not able to connect tho the network, and the radius or controller does not detect that is not a wrong password but an expired one and is not capable of change the pdomain password for the user, through the controller and RADIUS server

I hope I was clear with my problem and you can help me.

What are your remote access policies on the NPS server?  You need to allow Domain Computers to Authenticate as well, so that they get an ip address at the ctrl-alt-delete screen to solve your issue.

 

Please see the article here:  http://community.arubanetworks.com/t5/Authentication-and-Access/802-1x-Machine-Authentication-Using-Aruba-3600-Controllers-and/m-p/28250/highlight/true#M470

 

 

There was only the AD group we granted permission on the policy. I just added Domain Computers,and Now I'm gonna make some tests. I have two question:

- I have termination ENABLED on 802.1X AUTHENTICATION PROFILE, how does this affect? should I disabled it too as I read? how does it affects me? theres one enabled the termination eap-peap and eap-mschapv2.

- By adding domain computers on the user groups capable of connecting to the wireless, am I giving permition to more people outside my initial AD group? because this could be a security breach.

Also, on the link you just gave me, they say that the radius HAVE to be Domain Controller, is this a MUST?? can this be also the problem??

I'll give you a feed back as soon as I finish my tests. thank you for your help.

You should dupliCate your existing policy and change the windows group to domain computers. Nobody that was not allowed before will be able to get on. Radius does not have to be a domain controller.

OK I Just did that. I tried to test this by putting the "user must change password at next logon" on the user ActiveDirectory Account. But when I tried to open a session with that account, it opens with the cache, and the wireless connection doesn't work. it keeps saying that the user or password is wrong.

 

I still haven't tested the expired account, but I believe the test I made can be a good way to test it doesn't it??

reading the pdfs, I don't have two things they say I must have, but since the wireless is in production, and can affect a whole floor, I haven't done it yet.

those things are in AAA profile:

the termination checkbox in the  802.1x authentication profile is enable, the temrination eap-peap and eap-mschapv2 is enabled (MSCHAPv2 is the one we use in the radius).

the enforce machine authentication in the 802.1x authentication profile is disabled too.

 we don't use certificates.

any help would be appreciated.

---

@Zamuz wrote:

OK I Just did that. I tried to test this by putting the "user must change password at next logon" on the user ActiveDirectory Account. But when I tried to open a session with that account, it opens with the cache, and the wireless connection doesn't work. it keeps saying that the user or password is wrong.

 

I still haven't tested the expired account, but I believe the test I made can be a good way to test it doesn't it??

reading the pdfs, I don't have two things they say I must have, but since the wireless is in production, and can affect a whole floor, I haven't done it yet.

those things are in AAA profile:

the termination checkbox in the  802.1x authentication profile is enable, the temrination eap-peap and eap-mschapv2 is enabled (MSCHAPv2 is the one we use in the radius).

the enforce machine authentication in the 802.1x authentication profile is disabled too.

 we don't use certificates.

any help would be appreciated.

---

Do you have a server certificate on your radius server?  If so, you need to uncheck "Termination".  For one, Machine authentication, which is required for a successful domain login does not work when Termination is enabled.

 

I don't have any server certificate server on the RADIUS, actually on the company we still don't use a certificate server.

 

Do we have to have one, for it to work as we want? or it can work without it. We just use de AD to authenticate and give access to the wireless network. What about the "enforce machine authentication". should I enable it?

 

Thank you for your time.

---

@Zamuz wrote:

I don't have any server certificate server on the RADIUS, actually on the company we still don't use a certificate server.

 

Do we have to have one, for it to work as we want? or it can work without it. We just use de AD to authenticate and give access to the wireless network. What about the "enforce machine authentication". should I enable it?

 

Thank you for your time.

---

When you enable termination on the controller it is a workaround for your server not having a certificate, but it is not secure.  In addition, machine authentication does not take place successfully when you have termination enabled, so alot of things that are suppose to happen on login do not work.

 

 

 Ideally you would install a CA and issue your server a certificate.  If you don't have a CA, install one, because nothing depends on it.  You can even install the CA on your existing radius server, disable termination, and your clients will be able to authenticate as machines.

 

If you have a Windows 2008 NPS server, it will tell you how to do this from scratch.  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

The guide assumes that you have nothing, so you can just do the CA as well as the part when you request a certificate for your NPS server.

 

thanks I just did the CA installation, but termination on the aruba controller can't be disabled, it doesn't let me apply that change...(Doesn't appear "changes applied") May be I should do something extra on the controller, now that it is authenticating with a CA too?

 

Also I'm supposed to enable de enforce machine authentication doesn´t it?

 

I'm Sorry if I'm asking too much but support in my case takes too long to wait for an answer.

I'd like to add to this as well if that is ok. Very high level.

 

Customer upgraded their AD to Windows Server 2008 and are utilizing RADIUS and certain users suffered from the password expiry issue.

 

What is interesting is that the controller was configured to use the radius server for authentication but had Termination Enabled.

User's authenticated with user/pass to the radius server but most users would not have a problem but some would.(could not log in)

Disabling termination seemed to fix the issue but I would like to know is the following:

 

If termination is enabled, which means 802.1x terminates at the controller. Why are users still able to authenticate to RADIUS??

Does it act like a passthrough since there are no stored usernames/password on the controller?

When termination is enabled, EAP is Terminated on the Controller.  Username and password authentication continues to the external radius sever.

 

Machine Authentication does not work when Termination is enabled, and that is why users cannot change their passwords, because the computer itself cannot authenticate to make this happen.

Great. Machine authentication was not used in this instance.

 

Okay. It needs to be for the password to be changed, because the machine itself needs an IP address when that happens.

Thats a lot of MAC addresses to be inputed then :)

 

Therefore, if mac auth is enabled, EAP can then be terminated on the controller?

 

Read  this http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Radius-Fail-through-and-802-1x-Machine-Authentication/td-p/12183 and trying to make something of it.

 

 

Just to make things clear the link you posted above discusses fail-through feature , and not really termination. It has no bearing on this current thread...

Is there a deployment scenario about resetting passwords that you were interested in?

i'm just trying to get a general understanding for "Termination" along with the situation I was dealing with on Friday.

 

I believe you answered me correctly Colin.

I am going to need to discuss with the customers IT department who manages AD and Radius to get a further understanding of what they did.

 

I appreciate your time definitely.

 

 

I know it is several years later. But it seems like the user never got an answer or a resolution for the question. It is really a simple solution as far as I see it and requirs just understanding what is is being asked. But what the user was looking for is a feature that is not supported by RADIUS ( unless that has changed and I am not aware). He is looking for a password expiration and a prompt for the user. But that is not supported by RADIUS. He would need to use LDAP for that. Could it be tha simple? Hmm. idk.maybe. But I am sure if someone else is looking for a solution may see this and comment and it may help.

Here it is 4 years after the last ping on this thread and I'm being a necromancer.  I'm trying to better understand how to get a user prompt to re-enter their password if it is expired.

 

Scenario: User resets their password per policy ever 90 days.  When they reboot their laptop or try to re-join the corporate 802.1x SSID, they simply get an "Incorrect user password" message from Windows10.  Forgetting and re-entering their user/password works.  We would like to have the client receive a notification to re-enter the credentials rather than the default be silently deny the user access.

 

Is there any way to make this happen, or configuration setting on the controller which can be enabled to do so? Termination, changing eap settings, or something of the like?

 

Note: I am using ArubaOS and Aruba ClearPass for corporate 802.1x authentication.  We do not terminate on the controller.  In a separate scenario we are using ArubaOS and Windows NPS, but in that scenario, we receive a popup notification.