Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎08-03-2009

Restricting Authentication Type on SSID

Hi,

 

Aruba 620, AP105, ArubaOS 5.0.4.2.

 

I have two SSID's "USER" & "CERT" I want to restrict the USER SSID so that it will only Authenticate PEAP-MSChapV2 and the CERT SID so that only users certificates can be used. The dot1x profiles are configured as below:

 

aaa authentication dot1x "CERT-dot1x_prof"   

termination eap-type eap-tls

!

aaa authentication dot1x "USER-dot1x_prof"   

termination eap-type eap-peap   

termination inner-eap-type eap-mschapv2

 

The issue is I can Authenticate on either SSID using either Authentication method.

 

What possible solutions are there to this issue?

 

Regards,

Nigel

Guru Elite
Posts: 21,484
Registered: ‎03-29-2007

Re: Restricting Authentication Type on SSID


Nigel.Kemp@uk.fujitsu.com wrote:

Hi,

 

Aruba 620, AP105, ArubaOS 5.0.4.2.

 

I have two SSID's "USER" & "CERT" I want to restrict the USER SSID so that it will only Authenticate PEAP-MSChapV2 and the CERT SID so that only users certificates can be used. The dot1x profiles are configured as below:

 

aaa authentication dot1x "CERT-dot1x_prof"   

termination eap-type eap-tls

!

aaa authentication dot1x "USER-dot1x_prof"   

termination eap-type eap-peap   

termination inner-eap-type eap-mschapv2

 

The issue is I can Authenticate on either SSID using either Authentication method.

 

What possible solutions are there to this issue?

 

Regards,

Nigel


Nigel,

 

The "termination" options are not in effect unless you enable the "termination" option in the 802.1x profile.  With that being said, if you enable termination, you will have to upload a server certificate to the controller,  for the controller to do EAP-TLS and/or  EAP-PEAP.  Please see how you would obtain and upload those certificates in the thread here:  http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Question-about-the-802-1x-certificate/m-p/17954/highlight/true#M386

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎08-03-2009

Re: Restricting Authentication Type on SSID

Hi,

 

I did not mention an important bit of information.

 

Authentication is being done by a W2k3 IAS Server, everything is working perfectly except that either authentication method can be used on either SSID.

 

Does this alter the need for a Server Cert on the Controller.

 

Regards,

Nigel

Guru Elite
Posts: 21,484
Registered: ‎03-29-2007

Re: Restricting Authentication Type on SSID

Okay,  If it is being done on the server, forget the termination portion.

 

Here is the tricky part:

 

On the IAS server, do you have a single remote access policy that has both EAP types in it? (PEAP and Smartcard)



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎08-03-2009

Re: Restricting Authentication Type on SSID

I have two policies one for computer auth using PEAP-MSChapV2 the other doing User Auth for PEAP-MSCHAPv2 and Certificates.

 

I did have seperate policies for User PEAP & Cert auth but this config would only allow one or the other to Authenticate.

 

Regards,

Nigel

Guru Elite
Posts: 21,484
Registered: ‎03-29-2007

Re: Restricting Authentication Type on SSID

Yes. That is the biggest problem with this. For TLS are you issuing machine and user certificates?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎08-03-2009

Re: Restricting Authentication Type on SSID

Issuing User Certs

Guru Elite
Posts: 21,484
Registered: ‎03-29-2007

Re: Restricting Authentication Type on SSID

Okay.  So unless you are using Termination on the Aruba controller, you cannot enforce the inner EAP type on an SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎08-03-2009

Re: Restricting Authentication Type on SSID

Having a seperate Radius Server for each SSID (one allowing PEAP only the other Smart Card & Cert) should provide the control I require.

 

The actual requirement is to control the access of the devices authenticated using certificates (iPads). I am unable to upgrade to ArubaOS V6 as there are too many 800 controllers in the network.

 

Are there any other methods that could be used to achieve the desired result.

 

Regards,

Nigel

Guru Elite
Posts: 21,484
Registered: ‎03-29-2007

Re: Restricting Authentication Type on SSID

[ Edited ]

Nigel.Kemp@uk.fujitsu.com wrote:

Having a seperate Radius Server for each SSID (one allowing PEAP only the other Smart Card & Cert) should provide the control I require.

 

The actual requirement is to control the access of the devices authenticated using certificates (iPads). I am unable to upgrade to ArubaOS V6 as there are too many 800 controllers in the network.

 

Are there any other methods that could be used to achieve the desired result.

 

Regards,

Nigel


There is one other option:  EAP-GTC.  Here is how you would do it:

 

1.  Setup an LDAP server on the controller that connects to the same radius server, but using LDAP.  Test the server using AAA test server on the diagnostics tab on the controller, to make sure it works.

2.  Run the WLAN/LAN Wizard the way you normally would to create a wireless network, using the encryption you want, but choose "Select From Known Servers".  Choose the LDAP server you just created and tested.  You should see a message that says "EAP-type eap-peap/eap-gtc has been selected. To change the EAP-Type please use the advanced UI".  Click on OK to continue setting it up until you are finished.

 

You would be left with a different WLAN that does EAP-PEAP but with a GTC inner-EAP type.  You can remove the PEAP/mschap portion of the remote access policy on the radius server and then it will not allow PEAP devices on your first WLAN.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: