Security

Reply
Aruba Employee
Posts: 3
Registered: ‎10-03-2013

Windows 7 and Windows 8 - 802.1x profiles...

I have a customer indicating that their Windows laptops (not sure what OS) used to automatically connect to their backed Windows Radius server via 802.1x (i.e. they would click on the secure SSID and it would prompt them for their username and password)

 

Sometime over the past few months, this changed and they now need to create a wireless network profile and un-check validate server cert and do not use their Windows logon credentials.  This is now a real pain.

 

I have not been able to check and see if this is Windows 7 and 8 only or if it also happened on Windows XP.  By the way, on IOS or OS/X all works normal and Apple prompts them to install an untrusted certificate.

 

Any ideas

Guru Elite
Posts: 7,839
Registered: ‎09-08-2010

Re: Windows 7 and Windows 8 - 802.1x profiles...

[ Edited ]

Are they getting an error when trying to connect without a profile? Unchecking validate server certificate is not a good idea. Did they change the PEAP certificate? If the profile is set to only trust a particular CA, then a new certificate signed by a different CA will cause the connection to fail. (This is by design for security reasons)

 

Are these domain joined computers? Windows will automatically use Windows credentials (which includes a realm ie DOMAIN\tim) when you first connect to an enterprise SSID.

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 3
Registered: ‎10-03-2013

Re: Windows 7 and Windows 8 - 802.1x profiles...

They are not getting an error on the client side.  It just does not connect (Have to setup a Wireless Network profile manually)

 

These are domain computers

Guru Elite
Posts: 7,839
Registered: ‎09-08-2010

Re: Windows 7 and Windows 8 - 802.1x profiles...

[ Edited ]

Any logs for the connection attempt on the RADIUS server? Also, try show auth-tracebuf <macaddress> to see the EAP messages.

 

What is the root CA for the PEAP server certificate? Can you try turning back on validate cert and check the box for the appropriate root CA?

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Windows 7 and Windows 8 - 802.1x profiles...

To look at the auth-trace output, you need to put a user's mac address in user-debug mode:

 

(config)# logging level debugging user-debug <mac address>

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Windows 7 and Windows 8 - 802.1x profiles...

i saw this myself, what i found was that dutch windows versions dont connect automatically (well you click the SSID and it works) but english ones do.

 

were foreign versions involved for you also?

Search Airheads
Showing results for 
Search instead for 
Did you mean: