Security

Reply
Contributor I
Posts: 68
Registered: ‎07-16-2012

Windows 7 802.1x Auth via Wired port on RAP-2WG

[ Edited ]

Hi,

 

I'm trying to setup a RAP-2WG so that a we can use the e0/1 port for wired access on our LAN.

 

I have successfully configured the relevant profiles so that this can be done without a AAA Profile.

 

I now want to get the client to authenticate itself before any access is allowed. And this is where I'm having the problems.

 

Were using Microsoft NPS for the RADIUS server. Its the same server that authenticates our wireless users.

 

I've setup a new Connection Request Policy and a Network Policy.

 

The Connection Policy has a condition of NAS Port Type - VPN or Ethernet

 

The Network Policy has a condition of NAS Port Type - VPN or Ethernet and Windows Groups - Domain user or Domain computers.

 

Authentication method is Microsoft PEAP with EAP or MS-CHAP v2.

 

I have set up the profiles for AAA. I have a AAA profile called "Wired" and in that I have a 802.1x profile called "Wired" along with the 802.1x server group named "Wired".

 

The server group has the server "Wired" which points to the IP of the NPS server.

 

The 802.1x profile is pretty much default only I have set termination parameters to enabled and selected eap-peap and eap-mschapv2. (if this isnt selected then the NPS server doesnt even see the requests)

 

I have then assigned the AAA profile to the ethernet interface port 1 configuration in the AP group that the RAP is located in.

 

My client always fails to authenticate. The client is set to PEAP, remember credentials, EAP-MSCHAPv2, enable fast reconnect and ticked, automatically use windows logon if any. In advanced, computer authentication is specified.

 

This is the output from the Aruba controller and the debug below that


Aug 22 11:12:57  station-up             *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   open system
Aug 22 11:12:57  station-up             *  2c:76:8a:db:65:10  01:80:c2:00:00:03        -    -   wired station
Aug 22 11:12:57  station-term-start     *  2c:76:8a:db:65:10  01:80:c2:00:00:03        101  -
Aug 22 11:12:57  eap-term-start        ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 11:12:57  station-term-start     *  2c:76:8a:db:65:10  01:80:c2:00:00:03        101  -
Aug 22 11:13:02  client-finish         ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 11:13:02  server-finish         <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 11:13:02  server-finish-ack     ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 11:13:02  inner-eap-id-req      <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 11:13:02  inner-eap-id-resp     ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -   host/LT19515.*****************
Aug 22 11:13:02  eap-mschap-chlg       <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -
Aug 22 11:13:02  eap-mschap-response   ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  9    49
Aug 22 11:13:02  mschap-request        ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  9    -   host/LT19515.*****************
Aug 22 11:13:02  mschap-response       <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -   host/LT19515.*****************
Aug 22 11:13:02  eap-mschap-chlg-retry <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  -    -

 

Aug 22 11:12:57 :522035:  <INFO> |authmgr|  MAC=2c:76:8a:db:65:10 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/aVLAN=101 AP-name=Bayman_BCH
Aug 22 11:13:02 :522042:  <NOTI> |authmgr|  User Authentication Failed: username=host/LT19515.******************** MAC=2c:76:8a:db:65:10 IP=0.0.0.0 auth method=802.1x auth server=Wired

 

Any help is appreciated. Have been severely banging my head against a wall. (the stars in the output have been inserted in place of my domain)

 

Thanks

Ian

Frequent Contributor II
Posts: 113
Registered: ‎11-27-2012

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Check the event log on your NPS server.

You should have a message there telling you why the user was denied access

-----------------------------------
-ACMX #352-
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I
Posts: 68
Registered: ‎07-16-2012

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

[ Edited ]

Yes I do, just says "An Error occured during logon"

 

Normally I would see "bad username or password" for failures (to my knowledge)

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG


Broaders wrote:

Yes I do, just says "An Error occured during logon"

 

Normally I would see "bad username or password" for failures (to my knowledge)


You cannot do EAP-Termination with Machine Authentication:

 

Aug 22 11:12:57  station-term-start     *  2c:76:8a:db:65:10  01:80:c2:00:00:03        101  -

 

To make this work you should change the laptops wired advanced 802.1x to user only authentication, OR, disable termination from the controller and have the NPS server do the EAP (Certificate) function.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 68
Registered: ‎07-16-2012

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Hmm I did read this. Am I right in thinking for wireless authentication, EAP does not terminate on the controller?

 

Because we use machine auth for the wireless connectivity.

 

I cant use user authentication because I need the PC to be able to authenticate before the logon request. (before entering user crendentials to logon)

 

A user cannot log on without this............Would this mean then that the certificate way would work for machine auth?

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG


Broaders wrote:

Hmm I did read this. Am I right in thinking for wireless authentication, EAP does not terminate on the controller?

 

Because we use machine auth for the wireless connectivity.

 

I cant use user authentication because I need the PC to be able to authenticate before the logon request. (before entering user crendentials to logon)

 

A user cannot log on without this............Would this mean then that the certificate way would work for machine auth?


Sir,

 

Based on your auth-tracebuf output, there is the "Term" parameter, which means that you have Termination on in the 802.1x profile being used for the wired port.  See if you force that wired port only to user authentication to see if that is your problem.  You could be using a 802.1x profile on the controller for wireless that does NOT use termination and a different 802.1x profile for wired that DOES use termination, and THAT could be breaking your authentication.

 

Just as a test, please force the wired 802.1x to use only user authentication in the advanced profile on the laptop to see if that is your issue.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 68
Registered: ‎07-16-2012

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Hi!

 

Yes you are correct. The wireless 802.1x profile does not use the Termination function.

 

I have a seperate 802.1x profile for the wired access. I HAVE to enable Termination in order for the NPS server to see the requests.

 

When I specify user authentication on the laptop it does work. I can also see the successful authentication log on the NPS server.

 

However this doesnt help me when I have a Laptop at the ctrl-alt-del prompt and then trying to log on.

 

Hmm is it possible to change the initial role (pre authentication) to allow the authentication to happen when entering credentials at the prompt?

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Why do you have to Enable Termination for the wired 802.1x profile?  What happens when you disable it?  It should work very similar to the wireless...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 68
Registered: ‎07-16-2012

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

[ Edited ]

If Termination is not enabled the NPS server does not receive any requests for authentication

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

As a test:

 

- Disable Termination on that 802.1x profile for wired.

- In the AAA profile for the wired port, make the initial role something like "Authenticated"

- Unplug, then plug in the wired port of the laptop

- Paste in the output of "show auth-tracebuf" to see what is going on with that wired authentication.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: