Security

Hey there,

I have a Dell Server running 2008R2 and I am trying to get it to act as a RADIUS Auth server for the W-620 that I am slowly learning how to configure. I have tried to read as many posts about this as I can and have made some solid progress, but I am chasing a misconfiguration, and I would like some feedback to make sure I am not spending a lot of effort looking for the wrong solution.

I have configured the W-620 multiple times over and over to acquaint myself with what does what, and I got it to work using WPA2 -PSK. that configuration was successful and clients were able to connect to the net servers and the internet through it.

I am now moving the next step closer to the final configuration and I want to use the more secure authentication method of linking the RADIUS function to the AD server. I have installed the NPS service and installed multiple RADIUS clients to again, see what does what. I have had some success here, I am now able to use the AAA authentication Diagnostics tool and am able to successfully authenticate. I have the IPs correct, shared secret good etc...

however, here is where I am having errors; when I try and connect a computer to the wireless, It is unable to finalize the link. I choose the SSID I want to connect to , it prompts for the username and password,  I enter my administrative credentials (part of the user group I specified in the NPS setup) and the computer sits there and processes it and then says it is "unable to connect"

in reading around, It seems that there are some tricks to getting this to work in 2008r2, and ones concerning certificates in particular. In reading this post:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Aruba-and-Windows-2008-NPS-issue/m-p/34609/highlight/true#M3312

I read that I need to have a new certificate, and one that is called "servername.domainname" and not "domainname-servername-CA". In finding the article referenced in that post, I found some instructions that are making my head spin a bit on how to add certs. I have accessed mmc and tried adding a new certificate and the instructions say to select the "computer" certificate, but I don't have that option, I can see it as an unavailable option, but the only three I have are

-Directory Email Replication

-Domain Controller

-Domain Controller Authentication

I made one using the Domain Controller Authentication cert, but it doesn't show up when I try and select certificates in the NPS wizard, And I am guessing that's because its the wrong one.

SO ... Am I barking up the right tree or does this sound like some other issue that I have mis configured? I have little experience in this level of administration, but I am the best this company can afford, so Im giving it a go.

Thanks in advance for your help, this forum has been a serious boon in my quest to get this WLAN up and running this summer.

Dave

The certificate only needs the server authentication purpose.  Domain Controller would work fine.

I tracked down the errors on in the server Event Viewer, and there were piles of Errors; Event ID 13. It seems that the problem is server side and I have the controller configured correctly. MS Technet mentions ensuring your client has a Fully Qualified Domain Name (FQDN), though it says IP should work just fine.

There is no need to register the controller in my Active Directory correct? IP address is all I should need?

Other than having the IP Address reserved properly in my DHCP server that is...

Thanks!

No need to register in DNS.  Correct.

it would also seem that there are some issues out there relating to how windows handles MSCHAPv2 Authentication. When I run my AAA Auth test from the W-620 controller, I get a series of events in the server event viewer that shows that authentication is successful, however when I try and access the wireless from a laptop, there is nothing reported in event viewer, and it takes no time for the computer to fail the auth, like its not trying... The aruba controller has 2 Radius Auth methods, MSCHAPv2, and PAP. I get all sorts of security warnings when I mess with PAP in Server 2008, as its not encrypted. So that sounds like a bad idea, and MSCHAPv2 is all thats left. Is there a way to get the Aruba controller to use the PEAP that is available on the 2008 box, or even the smart cert option?

Im sure MSCHAPv2 is fine, but its also not working at the moment, surely cause Im missing something.

EDIT: im trying to connect from a W7 64bit ASUS laptop.

First things first:

If you are using an NPS 2008 server, you need to look at the Event Viewer> Custom Logs> NPS to see all NPS-related events.

The Aruba Controller is just a passthrough that forwards radius requests, so beyond configuring the ip address of the radius server, and the correct key, it does not get involved in whether you use MSCHAPv2 or PAP:  That is configured specifically on the client and the radius server.

Do not enable pap, because your client will only use PAP when it is authenticating via Captive Portal, which is not the case here.

---------------------

What do you have configured on the client side settings?

ON my 2008 server, I have the NPS service installed and the following settings;

Radius Clients-

Friendly Name: School-Wifi           ( is this critical nomenclature that needs to match up somewhere?)

IP Address: 10.0.10.254                 (Controller IP)

Dev Mfgr: RADIUS Standard

NAP-Capable: NO

Status: enabled

Under My NPS Connection Request Policies I have Smart-Cert, MSCHAPv2, and PEAP policies all setup, and in that order. I enable and disable them, but I get the same results as I do.

I have a usable certificate in place on the server.

In my NPS event viewer, When I test AAA server from the controller, two log entries show;

Source: Microsoft Windows Security Auditing

Event ID: 6278

Task Category: Network Policy Server

and

Source: Microsoft Windows Security Auditing

Event ID: 6272

Task Category: Network Policy Server

if details on these would help, I will post more info

--------------

ON THE CLIENT (Laptop)

I have the computer added in my primary OU in AD. It does not have a reserved IP for the WLan in the DHCP server, but that shouldnt matter...

The laptop is added to the domain, and I am logging in using my Administrative acount.

When i select the SSID in the wireless network listings, it falis to connect immediately, though the first time i tried, it asked for a username and password, and never has since.

I have to Manually add a wireless network profile to have access to any related settings.

I match the name to the SSID,

select WPA2 Enterprise AES

When entered into the Wireless Network properties [security] tab, under "choose a network authentication method" i have Microsoft: Protected EAP selected

in that settings dialogue it is usinf a Secured password (EAP-MSCHAPv2)

it is set to validate server certificate, and enabled to fast reconnect

Under MSCHAPv2 Settings it is set to "Automatically use my Windows Logon name and password (and domain if any)"

** i think this is why it doesnt ask me for a username and password ** (?)

the only other settings would be up a few menus, to advanced settings of the "Faculty Wireless Network Properties"

wherein lies two tabs, one for 802.1x setting, which is not selected to be modified, and I left alone.

the other is the 802.11 settins, and in the "fast roaming" box, "enable Pairwise Master Key (PMK) caching is enabled

with PMK ttl set to 720

and # of entries in PMK cache at 128

Thats all the info I can seem to muster on my windows settings, client and server.

If this is a Windows Server Config issue, should I try a Technet forum? I will accept whatever help I get, but I hate to pester you guys with my poor understanding. Knowing where the problem exists is a great start, so thanks again for all the help.

You guys dont have a tip jar do ya? :smileyhappy: really though.

Log into the commandline on the controller and type "show auth-tracebuf" to see the radius back-and forth.

Also, try unchecking "validate server certificate" on the client.

here we go:

Jul 11 00:26:30  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  85  224
Jul 11 00:26:30  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  85  44
Jul 11 00:26:30  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          2   4     server rejected
Jul 11 00:26:30  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:30  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 00:26:30  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:30  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:30  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:30  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:31  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 00:26:31  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:31  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:31  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:31  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:23  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:00:23  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:00:23  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:23  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:00:23  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:00:23  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          86  239
Jul 11 04:00:23  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:00:28  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  86  44
Jul 11 04:00:28  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:00:28  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:33  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:38  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:43  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:07  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:01:07  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:07  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:07  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:07  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:07  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          87  239
Jul 11 04:01:07  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:07  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  87  44
Jul 11 04:01:07  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:01:07  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:12  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:17  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:22  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:49  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:01:49  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:49  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:49  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:49  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:49  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          88  239
Jul 11 04:01:49  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:54  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  88  44
Jul 11 04:01:54  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:01:54  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:59  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:04  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:09  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:22  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:02:22  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:02:22  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:22  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:02:22  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:02:22  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          89  239
Jul 11 04:02:22  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:02:22  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  89  44
Jul 11 04:02:22  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:02:22  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:27  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:32  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:37  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -

--------

im wondering what we're lookng at here; it looks like a log of my client "FFCHSTechMobile" trying to access the Radius server and being rejected, some standby inbwteeen, etc.

is this correct?

this would tell me that the controller is passing the Auth request along properly, but the server "Phoenix" is rejecting the request?

changing the certificate validation didnt perceptably do anything. It denys my conncetion instantaneously. so, its not even trying to negotiate the connection on the client.

I should have setup an XP unit to test as well, I have read reports of better results in pre-vista settings, silly as that sounds.

Okay.  your answer is in the event viewer on the server.  What do the eventviewer messages say?

It should be under EventViewer> Custom Logs> Network Policy Server...

there is a plethora of these two events, these are all the latest logs.

event ID 6272

-----------------------------------------------------------------------------------------------

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 6272
 
   Version 1
 
   Level 0
 
   Task 12552
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2012-07-11T05:53:29.969646100Z
 
   EventRecordID 183434288
 
   Correlation
 
  - Execution

   [ ProcessID]  632
   [ ThreadID]  4328
 
   Channel Security
 
   Computer phoenix.fastforward.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-21-1634652051-3778902028-2776777524-3329
  SubjectUserName davidadmin
  SubjectDomainName FASTFORWARD
  FullyQualifiedSubjectUserName FASTFORWARD\davidadmin
  SubjectMachineSID S-1-0-0
  SubjectMachineName -
  FullyQualifiedSubjectMachineName -
  MachineInventory -
  CalledStationID 000B8663AF50
  CallingStationID 000000000000
  NASIPv4Address 10.0.10.254
  NASIPv6Address -
  NASIdentifier -
  NASPortType Wireless - IEEE 802.11
  NASPort 0
  ClientName FFCHS-Wifi
  ClientIPAddress 10.0.10.254
  ProxyPolicyName MSCHAPv2-test
  NetworkPolicyName TEST-SmartCert
  AuthenticationProvider Windows
  AuthenticationServer phoenix.fastforward.local
  AuthenticationType MS-CHAPv2
  EAPType -
  AccountSessionIdentifier -
  QuarantineState Full Access
  QuarantineSessionIdentifier -
  LoggingResult Accounting information was written to the local log file.
---------------------------------------------------------------------------------------

and the other one is

Event ID 6278

------------------------------------------------------------------------------------------

- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 6278
 
   Version 0
 
   Level 0
 
   Task 12552
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2012-07-11T05:53:29.969646100Z
 
   EventRecordID 183434289
 
   Correlation
 
  - Execution

   [ ProcessID]  632
   [ ThreadID]  4328
 
   Channel Security
 
   Computer phoenix.fastforward.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-21-1634652051-3778902028-2776777524-3329
  SubjectUserName davidadmin
  SubjectDomainName FASTFORWARD
  FullyQualifiedSubjectUserName FASTFORWARD\davidadmin
  SubjectMachineSID S-1-0-0
  SubjectMachineName -
  FullyQualifiedSubjectMachineName -
  MachineInventory -
  CalledStationID 000B8663AF50
  CallingStationID 000000000000
  NASIPv4Address 10.0.10.254
  NASIPv6Address -
  NASIdentifier -
  NASPortType Wireless - IEEE 802.11
  NASPort 0
  ClientName FFCHS-Wifi
  ClientIPAddress 10.0.10.254
  ProxyPolicyName MSCHAPv2-test
  NetworkPolicyName TEST-SmartCert
  AuthenticationProvider Windows
  AuthenticationServer phoenix.fastforward.local
  AuthenticationType MS-CHAPv2
  EAPType -
  AccountSessionIdentifier -
  QuarantineState Full Access
  ExtendedQuarantineState -
  QuarantineSessionID -
  QuarantineHelpURL -
  QuarantineSystemHealthResult -


---------------------------------------------------------------------------------------------

In the eventviewer, are you looking athe Custom Logs > NPS part?  Those seem like generic logs.

Did you do a AAA test server from the controller using the username you are using now?

In Your Network Policy, do you have Protected EAP added?  In protected EAP, when you click on Edit, do you see a server certificate on the NPS server?

{Event Viewer.jpg}

heres a screenshot of where I am looking, the directories dont match exactly as you specify. in the Windows Logs directory, I dont see anything that screams NPS either.

The AAA test server is using the same username as always, which is davidadmin

{NPS.jpg}

I labled things as "testing", but at the bottom you cansee that the setting is defined as Extensible Auth.....

Your policies should be configured in "Network Policies" NOT connection request policies...

they are in both, but im not sure they are supposed to be there? thats just where the add-wizard put them.

Edit: added more useful picture

There should be an edit button on protected EAP.  Click on that to make sure that you see your server certificate:

I had the NON-CA certificate selected.

Ok, so it seems to be some sort of DHCP misconfiguration, I tried it on a different computer and I was able to connect just fine. (Which is AWESOME by the way). It was good to go over the settings and i feel like things are making more sense.

Thanks for all the help so far. no digital tip jar?

a couple questions remain;

my server NPS is giving auth and accounting through two seemingly standard ports (1812, 1645;auth)(1813, 1646; Acctg).

not that I NEED to at this point, but is there a way to give the controller access to both ports? I am only able to specify one per service...

The other question is I have a computer connected now and it is going to what looks like a captive portal Web page that is preventing me from accessing any websites. it simply says "web authentication is disabled. please contact the administrator for assistance."

This is a w7 machine, and it is using my login credentials as the wireless credentials automatically, which is fantastic. any idea what is going on here?

The message you have:  "web authentication is disabled. please contact the administrator for assistance."'

Indicates that you are still in the pre-authenticated (aka. logon) style role.

When you navigate to  Monitoring/Clients what role is displayed for your test user ?

the user role is "logon". sooo, when I connected to the network, it didn't aske for a username and password, and I am assuming that it used the one I used to logon to the computer. Is this an incorrect assumption?

I think the answer to my question is here in this post...

http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Web-Authentication-Disabled/td-p/10596

making adjustments....

What does your AAA profile look like ?   

e.g.   what are the 'default role'  settings ?

yeah, the default role settings were all logon. I changed them all to authenticated and the wireless connection worked (!) so thats great. I have a rudimentary understanding of this concept, and would take any configuration insight you have. This network will be used by 20-30 teacher faculty, should I have their roles down privelidged for security reasons? what roles would be ideal for this type of user base?

I will also need to configure a "student" access setting, and its the students that I would be more concerned about mischevious behavior with...

Ideally, you want want a "server derivation rule"  (Configured under Server Group screen) to evaluate what the radius server sends back to the controller and trigger multiple roles (teacher vs. student) based on their authentication.

In order to do that you have to have the controller configured to 'expect' certain fields/phrases from the radius server and 'set role' based on those fields/phrases (group = teacher, memberof = student etc)

Excellent, thanks for the input. Looks like I have some reading to do now. I am sure I will be back here with some questions soon enough. Thanks again.

http://community.arubanetworks.com/t5/Authentication-and-Access/User-Derivation-rules/td-p/37014

this thread seems to be an excellent breakdown of what you are suggesting to implement. I have a couple questions about how to approach this from the MS side so I don't go mucking up whats working already.

in my NPS I have [clients and servers], which would be my controller, which is already configured properly (because its working) and should require no adjustment. (?)

then I have [policies] , which includes network policies, which is where I would define the levels of Access in server 2008 to coordinate with the wireless Radius auth?

so under this section, I have the PEAP testing policy, which grants full access to my /Facutly group... This is where I would defince the access policies for each AD group?