Security

I work for a school district and manage our network. We have Aruba brand mobility controllers and access points at each of our sites. We have 802.1x authentication setup and authentication takes place via our LDAP service on our Apple Server. Pretty much all of our clients are Apple computers and they all connect just fine to our network. They choose the network, it asks for credentials and they are online. However I can not get any Windows machine to connect. I do the same proceedure, choose the network, it asks for credentials, put in the same thing I would put in for the Apple machines but then it just keeps asking for credentials until it finally tells me it can not connect. I have tested this with multiple machines using both Windows XP and 7, both proffesional. Any tips would be greatly appreciated for our few Windows users who have been teathered to the wall for too long.  

Are you using EAP-GTC to connect your apple devices?  You need to install an EAP-GTC supplicant on your Windows Devices as well..

 

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Can-I-make-the-802-1x-authentication-Via-LDAP-server/td-p/17610

Windows machines require you to manually configure the supplicant for the appropriate 802.1x settings. You'll have to set the EAP type , encryption, install the certificate (or, uncheck "Validate Certificate"), and possibly some other items. 

 

Large Windows deployments usually do this via group policy so it's automated,  it perhaps that what you're overlooking. Macs deal with 802.1x much more elegantly than Windows does. 

Thank you for the tips. However I am still having issues. I have installed the plug in that is available on Aruba's support site. I walk through all the steps they document in their instructions sheet for manually setting up with the wireless settings. 

- Set SSID and Security type (WPA2 / AES)

- Under Secutity settings made sure authentication method is set to Microsoft: Protected EAP 

- Under PEAP settings, changed authentication mode to EAP-Token

- Immediately after saving settings, I am asked to provide additional information, my credentials

- I have entered various credentials including my own

After all this it just says Windows was undable to connect to my ssid.

One thing I am noticing is that it is alo asking for the logon domain. I am not sure what domain it is looking for. As I mentioned previously we are using all Apple servers. My Kerberos Realm is main.losd.ca. I am not sure if that is what it want's. I've tried it anyway and no go. 

 

So, any other tips?

1.  Do you have an LDAP server setup in the controller?

2. Can you test it under Diagnostics> AAA Test Server with a valid username/password?  You cannot proceed unless you get a positive result.

3.  Is that LDAP server in a server group

4.  Is that Server Group in the AAA profile under the Virtual AP you want to test?

5.  Do you have Termination Enabled in the 802.1x profile along with EAP-PEAP, MsChapV2?

 

1.  Do you have an LDAP server setup in the controller?

 

- Yes, see Diagram 01

 

2. Can you test it under Diagnostics> AAA Test Server with a valid username/password?  You cannot proceed unless you get a positive result.

 

- Yes, see Diagram 02

 

3.  Is that LDAP server in a server group

 

- Yes, See Diagram 03

 

4.  Is that Server Group in the AAA profile under the Virtual AP you want to test?

 

- Yes, See diagram 04

 

5.  Do you have Termination Enabled in the 802.1x profile along with EAP-PEAP, MsChapV2?

 

- Yes, See diagram 05

 

Let me know what you think.

The last thing I would do is uncheck "Validate Server Certificate" to see if the issue is your clients not trusting the Aruba Controller's built-in Certificate.

 

 

You have the important points taken care of.  Please open a support case so they can obtain more details and get you help with this.

 

Unfortunately our support contract ran out and my district can not afford to renew. So that is why I have gone straight to the forums.

Also, as mentioned before, this is and has been working just fine with Apple clients. It is only Windows clients that have the problem.

It works seamlessly on Apple clients because they have a built in eap-gtc client support, so it is relatively easy for them to connect to most networks. To have a Windows devices connect to a non windows network is not easy. Since you are connecting via LDAP, what is your back end LDAP server?

It is an Apple XServe running OSX Server 10.6.8, no SSL.

Okay.

 

Uncheck Validate Server Certificate under the PEAP settings of the Windows client and see if it connects.

 

Bummer, tried that, and no go, still can not connect.

Delete the whole profile and recreate it with Validate Server certificate unchecked.

That is what I tried. It didn't go through. I am still wondering about the logon domain it is requesting. Is that even necessary to have filled out?

Just try plain username and password.

Blast, no go. It's almost like it doesn't even try to authenticate. It takes less than a second for it to deny the credentials and says it can not connect. 

On the commandline of the Aruba controller, type "show auth-tracebuf" so that you can see the radius traffic.

 

Pardon my ignorance on this one but do you mean that there is a command line feature in the web interface or do you want me to ssh into the controller?

ssh.

Will this be a problem?

 

(GA-1-MDF-WC1) >en
Password:**********
Password:********
(GA-1-MDF-WC1) #show auth-tracebuf

Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------

(GA-1-MDF-WC1) #

No.

 

Just add the device that you are testing to the debug:

 

config t

logging level debugging user-debug <wireless mac address of device>

 

Then, try to run through a failed authentication again, then run the "show auth-tracebuf" command.

 

This is what I get. What do you think?

 

Auth Trace Buffer
-----------------


Jan 28 15:22:15 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - - wpa2 aes
Jan 28 15:22:15 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:22:15 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39/LDAP - -
Jan 28 15:22:15 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:22:25 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39/LDAP - -
Jan 28 15:22:25 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -

(GA-1-MDF-WC1) #

Do try to connect more than once.  That looks pretty short.  Do you have the Encryption Matched properly to the SSID?

 

I completely deleted the profile and started over again. I tried to connect 3 times. Once without providing a logon domain, only credentials, then 2 more times with different variations of what domain I think it could be. I have the encryption set as AES, see Diagram 06.

 

Jan 28 15:22:15 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - - wpa2 aes
Jan 28 15:22:15 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:22:15 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39/LDAP - -
Jan 28 15:22:15 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:22:25 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39/LDAP - -
Jan 28 15:22:25 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:24:16 station-down * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - -
Jan 28 15:24:19 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - - wpa2 aes
Jan 28 15:24:19 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:24:19 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39/LDAP - -
Jan 28 15:24:19 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:24:19 station-down * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - -
Jan 28 15:28:26 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 - - wpa2 aes
Jan 28 15:28:26 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 620 -
Jan 28 15:28:26 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31/LDAP - -
Jan 28 15:28:26 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 620 -
Jan 28 15:28:39 station-down * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 - -
Jan 28 15:28:42 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 - - wpa2 aes
Jan 28 15:28:42 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 620 -
Jan 28 15:28:42 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31/LDAP - -
Jan 28 15:28:42 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 620 -
Jan 28 15:28:51 station-down * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 - -
Jan 28 15:28:58 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - - wpa2 aes
Jan 28 15:28:58 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:28:59 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39/LDAP - -
Jan 28 15:28:59 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 620 -
Jan 28 15:29:10 station-down * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:39 - -
Jan 28 15:29:13 station-up * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 - - wpa2 aes
Jan 28 15:29:13 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 620 -
Jan 28 15:29:13 eap-term-start -> 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31/LDAP - -
Jan 28 15:29:13 station-term-start * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 620 -
Jan 28 15:29:24 station-down * 20:c9:d0:e3:f8:17 00:24:6c:13:7b:31 - -

So you are attempting to connect to the WLAN that your Apple Clients are already using, correct?

 

And also , can you share the scrren-shot or configuration from the client-end about the EAP Authentication method ?

 

 

Shaberesha,

 

The user uninstalled the GTC client, rebooted, reinstalled and then it worked.