Security

Hi all,

    i'm facing with a new deployment with IAP-103, a couple of 7210 Controller and a Radius server based on a Win2k8.

Testing the radius authentication with my client I cannot the the request in the server log and the Controller return to me logs with timeout messages.

If I make the "AAA test server" from the controller everything works fine.

To make another test I connected a single IAP205 in autonomous mode and I configured it to call directly the radius server but the situation is the same: the client fall in timeout but the test made in SSH on AP works.

The attempts from the client aren't showed in the Radius server logs, the attempts from the controller/ap yes.

Just another test: I configured a switch to call the Radius server for the admin management, the user doesn't have the right attributes, but the request are correctly showed on the server log.

Any idea?

 

thanks in advance

#7210

Drivers and/or certificate issues are generally the cause of this.

Are you doing EAP-PEAP or EAP-TLS? Is your RADIUS server very focused publicly or privately signed?


Thanks,
Tim

Hi Tim,

    I'm trying to do EAP-PEAP auth with MS-CHAPv2, I have disabled the check of the server certificate.

thanks

KagtdaDoss,

 

You would need the output of "show auth-tracebuf client-mac <mac address of client>" to see the radius packets going back and forth.

 

attached

 

thanks

What is the operating system of this client, and what wireless card model is it?

 

I have tried with a Win7 with a Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC, if you think is a driver/OS problem I can try with other laptop...

 

thanks

Have you tried with a mobile device like an iPhone or Android phone?  Those would get on the network more easily.

My colleague tried with a Win8 and fail the authentication (timeout), his own win8 works in other deployment also with radius and Instant at the same firmware version.

Yesterday we have tried the atuhentication via controller and via a single istant too with the same result.

Who installed the radius server certificate on the Server and what CA was it issued from?

 

server side is a configuration of the customer, by the way he not installed any CA, we need only the eap-peap authentication and not the eap-tls

The server still requires a server certificate, though. That is your problem.

thanks, in fact I have the error attached when I try to edit the EAP-PEAP profile, but someone can help me to understand where I can put the certificate requested?

The customer has a internal CA and usually uses certificates.

You can get the selfssl utility in the Windows Resource Kit to quickly generate a self-signed certificate.  Detailed Instructions are here:  http://www.howtogeek.com/107415/it-how-to-create-a-self-signed-security-ssl-certificate-and-deploy-it-to-client-machines/

 

The instructions above  will not generate a server certificate from your customer's CA, though.  If the customer has a CA, or you want to generate a real certificate in your customer's environment, please see the guide here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672

 

 

Thanks for the suggestion, the customer already has a certificate and want to use it, can someone help me to find the correct container in the Radius server to put it in?

 

thanks