Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Problem Password expired RADIUS with MS Active Directory

Hi,

 

I Hope you can help me with this problem, I'm starting to use Aruba authenticating to the active directory via RADIUS Server on a Win 2008 R2.

it is working perfect, the OU or group I select are the only ones capable of connecting to the wireless network, but we have one small problem:

When a user domain password expires, he can't change the password (it shows no option for this), it only says that username or password is wrong. there's no option for those users to renew their passwords.

the RADIUS server is not the Domain Controller, they are different servers on the same LAN, I don't know if this is the problem and the radius has to be the controller too.

another problem, probably related to the first one, is that users are not downloading the domain policies (for example, notification that the password is about to expire policy, or wallpaper policy).

I believe that this problem is because before login in to the domain, the computers don't have user, and because of that, they are not logged into the wireless network (because it needs the login information (user and password). So it starts session with the cache user name and password. Therefore it doesn't download policies, etc. Then, after the password expires, the computer is not able to connect tho the network, and the radius or controller does not detect that is not a wrong password but an expired one and is not capable of change the pdomain password for the user, through the controller and RADIUS server

I hope I was clear with my problem and you can help me.

Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: Problem Password expired RADIUS with MS Active Directory

What are your remote access policies on the NPS server?  You need to allow Domain Computers to Authenticate as well, so that they get an ip address at the ctrl-alt-delete screen to solve your issue.

 

Please see the article here:  http://community.arubanetworks.com/t5/Authentication-and-Access/802-1x-Machine-Authentication-Using-Aruba-3600-Controllers-and/m-p/28250/highlight/true#M470

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Re: Problem Password expired RADIUS with MS Active Directory

[ Edited ]

There was only the AD group we granted permission on the policy. I just added Domain Computers,and Now I'm gonna make some tests. I have two question:

- I have termination ENABLED on 802.1X AUTHENTICATION PROFILE, how does this affect? should I disabled it too as I read? how does it affects me? theres one enabled the termination eap-peap and eap-mschapv2.

- By adding domain computers on the user groups capable of connecting to the wireless, am I giving permition to more people outside my initial AD group? because this could be a security breach.

Also, on the link you just gave me, they say that the radius HAVE to be Domain Controller, is this a MUST?? can this be also the problem??

I'll give you a feed back as soon as I finish my tests. thank you for your help.

Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: Problem Password expired RADIUS with MS Active Directory

You should dupliCate your existing policy and change the windows group to domain computers. Nobody that was not allowed before will be able to get on. Radius does not have to be a domain controller.




Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Re: Problem Password expired RADIUS with MS Active Directory

[ Edited ]

OK I Just did that. I tried to test this by putting the "user must change password at next logon" on the user ActiveDirectory Account. But when I tried to open a session with that account, it opens with the cache, and the wireless connection doesn't work. it keeps saying that the user or password is wrong.

 

I still haven't tested the expired account, but I believe the test I made can be a good way to test it doesn't it??

reading the pdfs, I don't have two things they say I must have, but since the wireless is in production, and can affect a whole floor, I haven't done it yet.

those things are in AAA profile:

the termination checkbox in the  802.1x authentication profile is enable, the temrination eap-peap and eap-mschapv2 is enabled (MSCHAPv2 is the one we use in the radius).

the enforce machine authentication in the 802.1x authentication profile is disabled too.

 we don't use certificates.

any help would be appreciated.

Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: Problem Password expired RADIUS with MS Active Directory


Zamuz wrote:

OK I Just did that. I tried to test this by putting the "user must change password at next logon" on the user ActiveDirectory Account. But when I tried to open a session with that account, it opens with the cache, and the wireless connection doesn't work. it keeps saying that the user or password is wrong.

 

I still haven't tested the expired account, but I believe the test I made can be a good way to test it doesn't it??

reading the pdfs, I don't have two things they say I must have, but since the wireless is in production, and can affect a whole floor, I haven't done it yet.

those things are in AAA profile:

the termination checkbox in the  802.1x authentication profile is enable, the temrination eap-peap and eap-mschapv2 is enabled (MSCHAPv2 is the one we use in the radius).

the enforce machine authentication in the 802.1x authentication profile is disabled too.

 we don't use certificates.

any help would be appreciated.


Do you have a server certificate on your radius server?  If so, you need to uncheck "Termination".  For one, Machine authentication, which is required for a successful domain login does not work when Termination is enabled.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Re: Problem Password expired RADIUS with MS Active Directory

I don't have any server certificate server on the RADIUS, actually on the company we still don't use a certificate server.

 

Do we have to have one, for it to work as we want? or it can work without it. We just use de AD to authenticate and give access to the wireless network. What about the "enforce machine authentication". should I enable it?

 

Thank you for your time.

Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: Problem Password expired RADIUS with MS Active Directory


Zamuz wrote:

I don't have any server certificate server on the RADIUS, actually on the company we still don't use a certificate server.

 

Do we have to have one, for it to work as we want? or it can work without it. We just use de AD to authenticate and give access to the wireless network. What about the "enforce machine authentication". should I enable it?

 

Thank you for your time.


When you enable termination on the controller it is a workaround for your server not having a certificate, but it is not secure.  In addition, machine authentication does not take place successfully when you have termination enabled, so alot of things that are suppose to happen on login do not work.

 

 

 Ideally you would install a CA and issue your server a certificate.  If you don't have a CA, install one, because nothing depends on it.  You can even install the CA on your existing radius server, disable termination, and your clients will be able to authenticate as machines.

 

If you have a Windows 2008 NPS server, it will tell you how to do this from scratch.  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

The guide assumes that you have nothing, so you can just do the CA as well as the part when you request a certificate for your NPS server.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎07-25-2012

Re: Problem Password expired RADIUS with MS Active Directory

[ Edited ]

thanks I just did the CA installation, but termination on the aruba controller can't be disabled, it doesn't let me apply that change...(Doesn't appear "changes applied") May be I should do something extra on the controller, now that it is authenticating with a CA too?

 

Also I'm supposed to enable de enforce machine authentication doesn´t it?

 

I'm Sorry if I'm asking too much but support in my case takes too long to wait for an answer.

MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: Problem Password expired RADIUS with MS Active Directory

I'd like to add to this as well if that is ok. Very high level.

 

Customer upgraded their AD to Windows Server 2008 and are utilizing RADIUS and certain users suffered from the password expiry issue.

 

What is interesting is that the controller was configured to use the radius server for authentication but had Termination Enabled.

User's authenticated with user/pass to the radius server but most users would not have a problem but some would.(could not log in)

Disabling termination seemed to fix the issue but I would like to know is the following:

 

If termination is enabled, which means 802.1x terminates at the controller. Why are users still able to authenticate to RADIUS??

Does it act like a passthrough since there are no stored usernames/password on the controller?

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: