Security

Hi,

Aruba 620, AP105, ArubaOS 5.0.4.2.

I have two SSID's "USER" & "CERT" I want to restrict the USER SSID so that it will only Authenticate PEAP-MSChapV2 and the CERT SID so that only users certificates can be used. The dot1x profiles are configured as below:

aaa authentication dot1x "CERT-dot1x_prof"   

termination eap-type eap-tls

!

aaa authentication dot1x "USER-dot1x_prof"   

termination eap-type eap-peap   

termination inner-eap-type eap-mschapv2

The issue is I can Authenticate on either SSID using either Authentication method.

What possible solutions are there to this issue?

Regards,

Nigel

---

@Nigel.Kemp@uk.fujitsu.com wrote:

Hi,

 

Aruba 620, AP105, ArubaOS 5.0.4.2.

 

I have two SSID's "USER" & "CERT" I want to restrict the USER SSID so that it will only Authenticate PEAP-MSChapV2 and the CERT SID so that only users certificates can be used. The dot1x profiles are configured as below:

 

aaa authentication dot1x "CERT-dot1x_prof"   

termination eap-type eap-tls

!

aaa authentication dot1x "USER-dot1x_prof"   

termination eap-type eap-peap   

termination inner-eap-type eap-mschapv2

 

The issue is I can Authenticate on either SSID using either Authentication method.

 

What possible solutions are there to this issue?

 

Regards,

Nigel

---

Nigel,

The "termination" options are not in effect unless you enable the "termination" option in the 802.1x profile.  With that being said, if you enable termination, you will have to upload a server certificate to the controller,  for the controller to do EAP-TLS and/or  EAP-PEAP.  Please see how you would obtain and upload those certificates in the thread here:  http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Question-about-the-802-1x-certificate/m-p/17954/highlight/true#M386

Hi,

I did not mention an important bit of information.

Authentication is being done by a W2k3 IAS Server, everything is working perfectly except that either authentication method can be used on either SSID.

Does this alter the need for a Server Cert on the Controller.

Regards,

Nigel

Okay,  If it is being done on the server, forget the termination portion.

Here is the tricky part:

On the IAS server, do you have a single remote access policy that has both EAP types in it? (PEAP and Smartcard)

I have two policies one for computer auth using PEAP-MSChapV2 the other doing User Auth for PEAP-MSCHAPv2 and Certificates.

I did have seperate policies for User PEAP & Cert auth but this config would only allow one or the other to Authenticate.

Regards,

Nigel

Issuing User Certs

Okay.  So unless you are using Termination on the Aruba controller, you cannot enforce the inner EAP type on an SSID.

Having a seperate Radius Server for each SSID (one allowing PEAP only the other Smart Card & Cert) should provide the control I require.

The actual requirement is to control the access of the devices authenticated using certificates (iPads). I am unable to upgrade to ArubaOS V6 as there are too many 800 controllers in the network.

Are there any other methods that could be used to achieve the desired result.

Regards,

Nigel

---

@Nigel.Kemp@uk.fujitsu.com wrote:

Having a seperate Radius Server for each SSID (one allowing PEAP only the other Smart Card & Cert) should provide the control I require.

 

The actual requirement is to control the access of the devices authenticated using certificates (iPads). I am unable to upgrade to ArubaOS V6 as there are too many 800 controllers in the network.

 

Are there any other methods that could be used to achieve the desired result.

 

Regards,

Nigel

---

There is one other option:  EAP-GTC.  Here is how you would do it:

1.  Setup an LDAP server on the controller that connects to the same radius server, but using LDAP.  Test the server using AAA test server on the diagnostics tab on the controller, to make sure it works.

2.  Run the WLAN/LAN Wizard the way you normally would to create a wireless network, using the encryption you want, but choose "Select From Known Servers".  Choose the LDAP server you just created and tested.  You should see a message that says "EAP-type eap-peap/eap-gtc has been selected. To change the EAP-Type please use the advanced UI".  Click on OK to continue setting it up until you are finished.

You would be left with a different WLAN that does EAP-PEAP but with a GTC inner-EAP type.  You can remove the PEAP/mschap portion of the remote access policy on the radius server and then it will not allow PEAP devices on your first WLAN.

Thanks for your help.

I have gone for the two Radius Servers option.

• One is existing within the Domain and only allows PEAP.
• A new IAS Server has been added to the PKI and only allows Certificate Auth.

Testing shows this has the desired effect Laptops in the Domain can not authenticate on the "CERT" SSID and the iPads can not authenticate with the "USER" SSID. The two device types get appropriate User Role upon successful authentication.

This has an added benefit in that Domain and PKI management is carried out by different groups, therefore the support boundaries remain clear.

Regards,

Nigel

Late to the game, but you could also utilize NAS-ID/NAS-IP fields in your RADIUS policy to use two different RADIUS auth policies on the same server. For me on my home lab RADIUS server, I use a NAS-ID of PEAP on my PEAP auth policy, and use NAS-ID of TLS on my TLS policy all on the same RADIUS server. This way, when a client authenticates to your PEAP SSID, the RADIUS auth request puts the NAS-ID field of PEAP in the request, and it will ONLY match on the RADIUS policy. You then configure the matching NAS-ID in the RADIUS server setup.

Hi guys,

Later yet... I've been trying to configure both types of authentition (PEAP and TLS), but neither is working yet. I issue the AAA test server with an user and it's successful, but the client doesnt join to the network, I dont have termination enabled in my dot1x profile and the conditions in the remote policies are the same as Howard posted (for PEAP), may you please post the screenshot  of the remote policy config and the client config, I'm really confused because all seems to be ok, I've read a lot of posts but I cant achieve this. 

Thanks in advance.

César

Please get EAP-PEAP working first and then layer in TLS when you have that working.  Have you seen the Microsoft Guides on the IAS and NPS server in the forums?

Im following your advise Colin, but the EAP-PEAP Auth is not working either, Im attaching the NPS configuration and the logs from "show log security" when I try to authenticate with an user. Please let me know what Im doing wrong to move forward to TLS authentication. Thanks in advance.

César

Attachment(s)

Show log security.txt   1 KB 1 version