Training, Certification & Career

Hi All;

 

What is the default RADIUS Configuration made in the RADIUS Server, to accomplish the LAB05 (Authentication) in the IAW Course?

 

I'm installing a new Windows Server, and I already installed AD, Certification Services and IAS. In IAS, I created RADIUS clientes to all Controllers used in the my training. What is the next step?

 

Best Regards

 

Valter Junior

Have you done the return-attribute (e.g. Class-id) and pre-shared keys?

Hi msaw, thanks for your answer.

 

No, I didn't. 

I created my Remote Policy to allow access to wireless users, created a test user in AD with dian-in privileges, configured my Windows 7 clients and import the server certificate, but I can't authenticate. In W2K3 logs, I receive the Reason Code 16:

 

User arubalab\test was denied access.
Fully-Qualified-User-Name = arubalab.com/Users/Test RADIUS
NAS-IP-Address = 10.1.130.100
NAS-Identifier = 10.1.130.100
Called-Station-Identifier = 000B866D20B8
Calling-Station-Identifier = 6466B30DAEE8
Client-Friendly-Name = Controller13
Client-IP-Address = 10.1.130.100
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Lab06 - Authentication
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

 

Anyone can help me?

 

Best Regards.

 

This problem was solved disabling "Validate Server Certificate" in Windows 7.

 

Now, in the next lab (AAA-FastConnect) when I enable EAP Termination with peap and mschapv2, I cannot login with my credentials. Radius Reason Code 66:

 

User test was denied access.
Fully-Qualified-User-Name = arubalab.com/Users/Test RADIUS
NAS-IP-Address = 10.1.130.100
NAS-Identifier = <not present>
Called-Station-Identifier = 000B866D20B8
Calling-Station-Identifier = 6466B30DAEE8
Client-Friendly-Name = Controller13
Client-IP-Address = 10.1.130.100
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Lab06 - Authentication
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

 

Help, please.

 

Best Regards

 

On the controller where you select termination in the 802.1X AAA profile did you select both PEAP for outer method and msChap for inner? Both have to be checked.
The problem with your earlier certificate issue- you ALWAYS validate server cert. but the windows cert you downloaded was not from a true CA. So Microsoft put it into your intermediate certificate- it is a windows 7 (vista too) security feature. If you re- download the certificate, and manually specify where to place it - put it in the trusted root Certificate Authority folder. Then when you setup the profile for wireless you go Into peap settings and make sure validate server certificate is checked- and then in the list select the checkbox next to the certificate you installed. This is mandatory as it protects you from connecting to a man in the middle attack.
Also- when you do this, and the. Enable termination the client won't connect - that is because the client is using the Windows cert. but the controller is using secure logon.arubanetworks.com. (Default one from the Aruba OS. ). You will then be promoted by windows that it can't verify the integrity of server certificate. Do you want to connect?
This is that protection. That server cert doesn't match what you are expecting. You have to override it. The way to fix this in real life would be to load the server cert to the Aruba controller where client would be receiving the proper certificate. And this this time if would just authenticate (no errors).