Security

Reply
Contributor I
Posts: 43
Registered: ‎06-28-2012

Server2008-R2/ Aruba 620/ RADIUS issues

Hey there,

 

I have a Dell Server running 2008R2 and I am trying to get it to act as a RADIUS Auth server for the W-620 that I am slowly learning how to configure. I have tried to read as many posts about this as I can and have made some solid progress, but I am chasing a misconfiguration, and I would like some feedback to make sure I am not spending a lot of effort looking for the wrong solution.

 

I have configured the W-620 multiple times over and over to acquaint myself with what does what, and I got it to work using WPA2 -PSK. that configuration was successful and clients were able to connect to the net servers and the internet through it.

 

I am now moving the next step closer to the final configuration and I want to use the more secure authentication method of linking the RADIUS function to the AD server. I have installed the NPS service and installed multiple RADIUS clients to again, see what does what. I have had some success here, I am now able to use the AAA authentication Diagnostics tool and am able to successfully authenticate. I have the IPs correct, shared secret good etc...

 

however, here is where I am having errors; when I try and connect a computer to the wireless, It is unable to finalize the link. I choose the SSID I want to connect to , it prompts for the username and password,  I enter my administrative credentials (part of the user group I specified in the NPS setup) and the computer sits there and processes it and then says it is "unable to connect"

 

in reading around, It seems that there are some tricks to getting this to work in 2008r2, and ones concerning certificates in particular. In reading this post:

 

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Aruba-and-Windows-2008-NPS-issue/m-p/34609/highlight/true#M3312

 

I read that I need to have a new certificate, and one that is called "servername.domainname" and not "domainname-servername-CA". In finding the article referenced in that post, I found some instructions that are making my head spin a bit on how to add certs. I have accessed mmc and tried adding a new certificate and the instructions say to select the "computer" certificate, but I don't have that option, I can see it as an unavailable option, but the only three I have are

-Directory Email Replication

-Domain Controller

-Domain Controller Authentication

 

I made one using the Domain Controller Authentication cert, but it doesn't show up when I try and select certificates in the NPS wizard, And I am guessing that's because its the wrong one.

 

SO ... Am I barking up the right tree or does this sound like some other issue that I have mis configured? I have little experience in this level of administration, but I am the best this company can afford, so Im giving it a go.

 

Thanks in advance for your help, this forum has been a serious boon in my quest to get this WLAN up and running this summer.

Dave

 

 

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Server2008-R2/ Aruba 620/ RADIUS issues

The certificate only needs the server authentication purpose.  Domain Controller would work fine.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Server2008-R2/ Aruba 620/ RADIUS issues

I tracked down the errors on in the server Event Viewer, and there were piles of Errors; Event ID 13. It seems that the problem is server side and I have the controller configured correctly. MS Technet mentions ensuring your client has a Fully Qualified Domain Name (FQDN), though it says IP should work just fine.

 

There is no need to register the controller in my Active Directory correct? IP address is all I should need?

Other than having the IP Address reserved properly in my DHCP server that is...

 

Thanks!

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Server2008-R2/ Aruba 620/ RADIUS issues

No need to register in DNS.  Correct.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Server2008-R2/ Aruba 620/ RADIUS issues

[ Edited ]

it would also seem that there are some issues out there relating to how windows handles MSCHAPv2 Authentication. When I run my AAA Auth test from the W-620 controller, I get a series of events in the server event viewer that shows that authentication is successful, however when I try and access the wireless from a laptop, there is nothing reported in event viewer, and it takes no time for the computer to fail the auth, like its not trying... The aruba controller has 2 Radius Auth methods, MSCHAPv2, and PAP. I get all sorts of security warnings when I mess with PAP in Server 2008, as its not encrypted. So that sounds like a bad idea, and MSCHAPv2 is all thats left. Is there a way to get the Aruba controller to use the PEAP that is available on the 2008 box, or even the smart cert option?


Im sure MSCHAPv2 is fine, but its also not working at the moment, surely cause Im missing something.

 

 

EDIT: im trying to connect from a W7 64bit ASUS laptop.

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Server2008-R2/ Aruba 620/ RADIUS issues

First things first:

 

If you are using an NPS 2008 server, you need to look at the Event Viewer> Custom Logs> NPS to see all NPS-related events.

 

The Aruba Controller is just a passthrough that forwards radius requests, so beyond configuring the ip address of the radius server, and the correct key, it does not get involved in whether you use MSCHAPv2 or PAP:  That is configured specifically on the client and the radius server.

 

Do not enable pap, because your client will only use PAP when it is authenticating via Captive Portal, which is not the case here.

 

---------------------

 

What do you have configured on the client side settings?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Server2008-R2/ Aruba 620/ RADIUS issues

[ Edited ]

ON my 2008 server, I have the NPS service installed and the following settings;

Radius Clients-

Friendly Name: School-Wifi           ( is this critical nomenclature that needs to match up somewhere?)

IP Address: 10.0.10.254                 (Controller IP)

Dev Mfgr: RADIUS Standard

NAP-Capable: NO

Status: enabled

 

Under My NPS Connection Request Policies I have Smart-Cert, MSCHAPv2, and PEAP policies all setup, and in that order. I enable and disable them, but I get the same results as I do.

 

I have a usable certificate in place on the server.

 

In my NPS event viewer, When I test AAA server from the controller, two log entries show;

 

Source: Microsoft Windows Security Auditing

Event ID: 6278

Task Category: Network Policy Server

 

and

 

Source: Microsoft Windows Security Auditing

Event ID: 6272

Task Category: Network Policy Server

 

if details on these would help, I will post more info

 

--------------

 

ON THE CLIENT (Laptop)

 

I have the computer added in my primary OU in AD. It does not have a reserved IP for the WLan in the DHCP server, but that shouldnt matter...

 

The laptop is added to the domain, and I am logging in using my Administrative acount.

 

When i select the SSID in the wireless network listings, it falis to connect immediately, though the first time i tried, it asked for a username and password, and never has since.

 

I have to Manually add a wireless network profile to have access to any related settings.

I match the name to the SSID,

select WPA2 Enterprise AES

When entered into the Wireless Network properties [security] tab, under "choose a network authentication method" i have Microsoft: Protected EAP selected

in that settings dialogue it is usinf a Secured password (EAP-MSCHAPv2)

it is set to validate server certificate, and enabled to fast reconnect

Under MSCHAPv2 Settings it is set to "Automatically use my Windows Logon name and password (and domain if any)"

 

** i think this is why it doesnt ask me for a username and password ** (?)

 

 

the only other settings would be up a few menus, to advanced settings of the "Faculty Wireless Network Properties"

wherein lies two tabs, one for 802.1x setting, which is not selected to be modified, and I left alone.

the other is the 802.11 settins, and in the "fast roaming" box, "enable Pairwise Master Key (PMK) caching is enabled

with PMK ttl set to 720

and # of entries in PMK cache at 128

 

 

Thats all the info I can seem to muster on my windows settings, client and server.

If this is a Windows Server Config issue, should I try a Technet forum? I will accept whatever help I get, but I hate to pester you guys with my poor understanding. Knowing where the problem exists is a great start, so thanks again for all the help.

 

You guys dont have a tip jar do ya? :smileyhappy: really though.

 

Guru Elite
Posts: 21,010
Registered: ‎03-29-2007

Re: Server2008-R2/ Aruba 620/ RADIUS issues

Log into the commandline on the controller and type "show auth-tracebuf" to see the radius back-and forth.

 

Also, try unchecking "validate server certificate" on the client.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Server2008-R2/ Aruba 620/ RADIUS issues

[ Edited ]

here we go:

 

Jul 11 00:26:30  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  85  224
Jul 11 00:26:30  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  85  44
Jul 11 00:26:30  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          2   4     server rejected
Jul 11 00:26:30  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:30  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 00:26:30  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:30  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:30  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:30  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:31  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 00:26:31  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:31  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 00:26:31  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 00:26:31  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:23  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:00:23  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:00:23  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:23  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:00:23  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:00:23  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          86  239
Jul 11 04:00:23  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:00:28  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  86  44
Jul 11 04:00:28  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:00:28  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:33  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:38  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:00:43  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:07  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:01:07  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:07  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:07  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:07  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:07  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          87  239
Jul 11 04:01:07  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:07  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  87  44
Jul 11 04:01:07  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:01:07  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:12  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:17  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:22  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:49  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:01:49  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:49  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:49  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:01:49  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:49  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          88  239
Jul 11 04:01:49  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:01:54  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  88  44
Jul 11 04:01:54  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:01:54  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:01:59  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:04  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:09  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:22  station-up             *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -     wpa2 aes
Jul 11 04:02:22  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:02:22  eap-start             ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:22  eap-id-req            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   5
Jul 11 04:02:22  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:02:22  rad-req               ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          89  239
Jul 11 04:02:22  eap-id-resp           ->  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   43    host/FFCHSTechMobile.fastforward.local
Jul 11 04:02:22  rad-reject            <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50/Phoenix  89  44
Jul 11 04:02:22  eap-failure           <-  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          1   4     server rejected
Jul 11 04:02:22  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:27  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:32  station-held           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -
Jul 11 04:02:37  station-down           *  00:25:d3:88:af:c0  d8:c7:c8:98:9c:50          -   -

 

 

 

 

--------

 

im wondering what we're lookng at here; it looks like a log of my client "FFCHSTechMobile" trying to access the Radius server and being rejected, some standby inbwteeen, etc.

 

is this correct?

 

this would tell me that the controller is passing the Auth request along properly, but the server "Phoenix" is rejecting the request?

Contributor I
Posts: 43
Registered: ‎06-28-2012

Re: Server2008-R2/ Aruba 620/ RADIUS issues

changing the certificate validation didnt perceptably do anything. It denys my conncetion instantaneously. so, its not even trying to negotiate the connection on the client.

 

I should have setup an XP unit to test as well, I have read reports of better results in pre-vista settings, silly as that sounds.

Search Airheads
Showing results for 
Search instead for 
Did you mean: