Hello
We are having an issue at one of our customers: a local University.
They have 2 FreeRadius servers and 2 OpenLDAP servers that are installed and configured for the infrastructure.
All the passwords for the more than 25k users are stored in the LDAP database using SSHA encryption. The passwords cannot be changed because there are a number of external services that are using the LDAP database and cannot be reconfigured.
They have purchased Aruba Instant acces points and one Aruba Controller and they want to deploy a wireless network using 802.1x authentication and the existing infrastructure.
We have tried setting up both Aruba Instant Virtual controllers and Aruba controller and we cannot find a common setting that can be used by all the devices connected to the network.
Basically, the customer has:
- Windows 7, 8 10 laptop computers
- Apple MacOS laptop computers
- Windows 8, 10 tablets and mobile phones
- Android 4, 5, 6, 7, 8 tablets and mobile phones
- Apple iOS 9,10,11 tablets and mobile phones
If we activate EAP termination on the controller we have 2 types of results:
- EAP-MSCHAPv2 - none of the devices can succesfully login to the network (wich is true because the passwords are not stored using ntshah but SSHA)
- EAP-GTC - all the devices that are not running Windows can succesfully connect to the network.
If we do not use EAP termination then:
- All Windows 8, 10 laptops can connect to the network;
- Some Android devices can connect to the network (80%);
- Apple devices can connnect to the network after they download a specially created profile (available on the customer's extranet);
- Windows 7 devices and Windows 8 mobile devices cannot connect to the network.
I know that the simple solution is to use 3rd party supplicants but this is not possible. The amount of users is too high and the devices change frequently.
And they want to provide a seamless experience to the users and a simple login process that does not imply installing software on the device.
Any hints? Ideas?
Best regards,
Alex