Wireless Access

Reply
Contributor I
Posts: 25
Registered: ‎01-31-2014

Aruba 3200 Wireless with Radius Authentication

Hey guys, 


So I set up an SSID and attached it to a RADIUS server. Everything works except one thing I am not sure about.

I wanted to test what happens when you change the password in AD, would it kick the user off their phones and other wireless devices or not?

The first time I tested it, it worked but when I tested it again the clients never got kicked off. Is there a way to specify when ARUBA checks the RADIUS server for credentials?

MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Aruba 3200 Wireless with Radius Authentication

[ Edited ]

for captive portal login

 

read here:

http://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_UG/Firewall_Roles.php

 

Re-authentication Interval (optional)

Time, in minutes, after which the client is required to reauthenticate. Enter a value between 0-4096. 0 disables reauthentication.

Default: 0 (disabled)

 

------------------------------------------------------------------------------------------------------------------------------------

for 802.1x

 

read here:

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php

 

use re-auth option: (u can apply it on any

 

Reauthentication

Select this option to force the client to do a 802.1x re-authentication after the expiration of the default timer for re-authentication. The default value of the timer (Reauthentication Interval) is 24 hours. If the user fails to re-authenticate with valid credentials, the state of the user is cleared.

If derivation rules are used to classify 802.1x-authenticated users, then the Re-authentication timer per role overrides this setting.

Default: disabled

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Aruba 3200 Wireless with Radius Authentication

Are you using WPA2-enterprise 802.1X with EAP-PEAP MSCHAPv2?

 

If the password is changed in AD the user should also change it on his/her device. Depending on type of device this could mean the user has to "forget the network" and then re-configure it. This is one of the big down-sides of PEAP.

 

For BYOD deployments you should consider using ClearPass OnBoard which will provision a certificate on the device and from then on EAP-TLS is used.

 

If you have domain joined Windows devices you can just push down a GPO with the correct network settings and the users don't have to worry about changing their password on the 802.1X profile as well.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Frequent Contributor I
Posts: 92
Registered: ‎02-05-2014

Re: Aruba 3200 Wireless with Radius Authentication

[ Edited ]

We are using radius with PEAP for our (BYOD) it's big hassle because everytime users change there password in AD which used to be every 90 days they would not delete the profile on their phones then cause the radius to lockout there account for 24 hours. This produces a lot of help desk calls. We are going to move to clearpass possibly this year.  Also when users bring in windows 7 devices the default settings are setup for AD users but becuase they are not AD users on our network (BYOD) again the windows profile has to be configured not to verify the certificate, and not to use there local credentals from there home laptop. I suggest clearpass we had to go with radius because we didn't have the budget for it clearpass before but I'm hoping this year.

Guru Elite
Posts: 8,638
Registered: ‎09-08-2010

Re: Aruba 3200 Wireless with Radius Authentication

^ Not validating the server certificate is a very, very bad idea.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: