Wireless Access

Ref# Aruba 7010 controller

we need to enable Active directory authentication with wireless users so each office staff able to use their windows active directory username & password to get the network /internet access.

we are planning to install Radius server on Active directory (which is best option Radius or LDAP)

 

kindly help me to clear the following

 

1. on 7010 WLC how we need to add the authetication server (as a Radius Server or RFC 3576 server).

2. after successfully authenticate with WLC using windows username & password, it team (couple of windows users) required WLC management privilege but normal users doesn't required the controller management access. how can we achieve this.

3. we need to change the captive portal default certificate to third party ssl certificate, what is the procedure for this. then what will be the captive portal new url? 

1. Do not use LDAP.  Radius is the best way.  Instructions on how to install a radius server on Windows server and configure the controller is here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

2.  Management Authentication is described in the user guide here:  http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x_XPClient_IAS_Config/Configure_Management_Aut.htm?Highlight=management authentication

3.  An exhaustive description of why and how to change the controller captive portal certificate is here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

 

 

thanks cjoseph,

 

please clarify following.

 

1. to achive our requirement which is the best way of adding authentication server, as a simple Radius server or RFC-3576 RADIUS Server.

 

2. Regarding Aruba Management access /permission for IT team. 

  consider total Active directory users are 50 need to access wireless network (so these users need to autheticated with Radius server), out of this users only IT team (5 members) need to have the controller management permission remaining users doesn't have this permission. 

 

as per shared article (http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x_XPClient_IAS_Config/Configure_Management_Aut.htm?Highlight=management) my understaing is all users will have the management permission.

if possible please mention step by step procedure for the same.

 

3. currnetly cpative portal url is "securelogin.arubanetworks.com" so once we upload and assign new ssl certificate to captive portal, what will be the new url for captive portal. we couldn't find the option to change the url.

1.  Add as a radius server.  RFC 3576 is change of authorization, which is an extension of radius, but not required for authentication, so you can skip that for now.

2.  There are a few management roles on the Aruba Controller that do different things:  http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Defaults/Default_Management_User_.htm?Highlight=mgmt-user

You would have to return a radius attribute that will set the user's role to what you want (Aruba-Priv-Admin-User is the attribute in this case), when the user authenticates.  Instructions on how to return an Aruba Attribute from a Microsoft Radius Server is here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848

3.  When you upload the new certificate, the URL for the Captive Portal will change to that fqdn.   Detailed information about changing the Captive Portal certificate and why you should do it is here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Hi, for wireless users for captive portal authentication is it need to install any certificate on user end station devices (PC, mobile) and wireless controller.

Users will get an error with the default certificate installed on your controller when you configure captive portal authentication.  You would have to install a publicly-trusted server certificate to avoid that.  After you do that, users would not be expected to install anything on their device.  This is detailed here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Thanks this is clear,

 

my doubt is that as part of  end user captive portal authentication with radius server, controller send username & password to radius server using MSCHAPv2 / PAP, for this purpose is there any certificate required for controller or in wireless client devices.

For Captive Portal, on the radius side it is Pap, not MsChapV2. That does not require a client-side certificate.

hi cjoseph, 

 

PAP authentication is not supported on windows server 2012R2.

please find the attachment.

That is PAP.  Why do you think it is not supported?

Yes, its able to enable.

my understaning PAP will send username and password as in clear text but MSCHAPv2 as is in encrypted.

my system team prefer to use MSCHAPv2, is it possible to use MSCHAPv2 on Aruba

Captive Portal uses PAP.  MsChapv2 is used by 802.1x clients.

 

Please do a Google Search and don't take my word for it.

ok its clear now, 

 

ok for our case (SSID with PSK, then user should redirect to get the Captive portal (local captive portal) and should use active directory user name & password (Radius is configured on domain controller and add authentication server in WLC as a radius server) to get the internet /network access.

 

what will be policy requried.

 

i thing dot1x-psk AAA profile we need to configure, am i correct. 

Regarding management permission for IT users, on Radius server on which settings we need to configure the RADIUS VSAs (Aruba-Priv-Admin-User = 2, type= integer),

how can we assign this policy to IT users (do we need to create a seperate radius policy for IT users)

 

is it possible to share with any screenshot.