Wireless Access

Hi All,

I still new for Aruba user authentication. Currently i have implement 802.1x authentication for my customer by using Microsoft Peap. I have configure Windows 2008 R2 RADIUS server (NPS) use Microsoft peap and also already configure the Aruba controller AAA authentication profile (as below attached screen capture).

I use the laptop try connect to broadcasted SSID (802.1x authentication). It take a while (10 to 30 sesconds) to complete connect the SSID but after that windows prompt to install Aruba controller certificate.

My customer say it is possible don't prompt to install the certificate? Because they end user don't like this annoying thing. 

Attachment(s)

802dot1x.docx   81 KB 1 version

On the Client, uncheck "Validate Server Certificate".  

Hi Joseph,

Ok, i will try on that. 

Btw, about the Windows 2008 R2 RADIUS server, it is neccesary install and configure CA server and self generate the certificate? Because i have go through the Aruba user guide it stated need to do so. 

But i does not install, configure and self generate the certificate.

---

@jordontin wrote:

Hi Joseph,

 

Ok, i will try on that. 

 

Btw, about the Windows 2008 R2 RADIUS server, it is neccesary install and configure CA server and self generate the certificate? Because i have go through the Aruba user guide it stated need to do so. 

 

But i does not install, configure and self generate the certificate.

---

To install it properly, you should install the Radius Server Certificate, just like the guide states, and then uncheck Termination in the Aruba 802.1x profile.

Hi Jospeh,

After i uncheck the "Validate Server Certificate" the laptop successful do the authentication provide need to "Check or tick" the "Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) on the WIndows 2008 R2 radius server. 

If i uncheck or untick the "Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) on the WIndows 2008 R2 radius server", windows client always keep on asking key in the password.

it is possible uncheck or untick the Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) on the WIndows 2008 R2 radius server", then it would not always prompt to key in the password.

Attachment(s)

Doc1.docx   73 KB 1 version

---

@jordontin wrote:

Hi Jospeh,

 

After i uncheck the "Validate Server Certificate" the laptop successful do the authentication provide need to "Check or tick" the "Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) on the WIndows 2008 R2 radius server. 

 

If i uncheck or untick the "Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) on the WIndows 2008 R2 radius server", windows client always keep on asking key in the password.

 

it is possible uncheck or untick the Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) on the WIndows 2008 R2 radius server", then it would not always prompt to key in the password.

---

You can uncheck the mschapv2 on the server.  Who issued the server certificate to the Radius Server?  What is the CA?  The clients must have the CA certificate in their trusted store, for it to stop asking to accept.

I already put the CA certificate on the trusted store. But it still prompt to accept the certificate of the "securelogin.arubanetworks.com" certificate instead the radius servercertificate, if i check "validate Server Certificate".

About the CA certificate was auto generate when i setup the windwos RADIUS server but the CA certificate was issued by HQ CA server.

In Configuration> Security> layer2 Authentication> 802.1x profiles, find your 802.1x profile and make sure 802.1x termination is disabled (unchecked).

"To install it properly, you should install the Radius Server Certificate, just like the guide states, and then uncheck Termination in the Aruba 802.1x profile."

I need to do this exact thing. Where can I find this "guide" ? 

http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113