12-14-2016 07:20 AM
Hi - a customer of mine is currently using the captive portal in his controller and querying both AD and a local database for username+pwd entries, when clients connect (the former for employees' own devices, the latter for Guests he creates on the controller DB). The customer now wants to provide encrypted Wi-Fi for this user base.
Can he simply change from CP to 802.1x (local termination) and still query both the local user database and AD, on his controller? Would he instead need ClearPass or similar as an external RADIUS?
As a simpler alternative, could he simply use WPA2-PSK as a precursor to the captive portal solution he's currently using?
12-14-2016 07:23 AM
How would the user do 802.1x to AD without a radius server?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
12-14-2016 07:29 AM
I wondered if the controller had the ability to provide it's own locally hosted RADIUS..? I would, essentially, prefer to be told they need an external RADIUS (e.g. ClearPass) as that would offer them greater future flexibility - but I like to make any 'it can't be done, without this extra component' statements having all the facts, as this customer wants to avoid extra costs and is likely to ask other Aruba partners to confirm such a statement...
12-14-2016 08:48 AM
As said above, a RADIUS server would be necessary to authenticate 802.1X to AD. This does not have to be ClearPass; so if cost an issue, the customer could consider enabling NPS on the Windows/AD servers to serve this functionality as well (free Windows Server service). You'll have reduced capabilties than with ClearPass; but it can work.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
12-19-2016 01:57 AM
The problem is that this question is not as simple to answer. You can respond: yes it is supported. However, that is under circumstances.
The problem lies in the request for 802.1X. That question seems simple, but the reality is that 802.1X can mean almost anything.
If you want to do EAP-MSCHAPv2 against your active directory (that uses usernames and passwords under the hood), you can't, as via LDAP you can't support MSCHAPv2. That is where the statement: 'You need to have an external RADIUS server for that' originates from. There are other reasons why you should avoid MSCHAPv2. But that question is typically not asked.
If you implement 802.1X with EAP-TTLS, you can connect via LDAP without RADIUS and use AD passwords. I did not find a definitive answer, but it seems that the same server certificate validation problem exists with that method.
Which leaves us with that you probably want to implement EAP-TLS authentication with client certificates, which opens another can of worms if you don't have the proper backend infrastructure. But you can issue client certificates to your clients and have the controller validate them, even without an LDAP connection to Active Directory.
ClearPass will make your life much easier in many ways, and many of the basic authentication things of what ClearPass can do, can be done with another RADIUS server as well. In my experience, after spending lots of hours with the Microsoft built-in RADIUS server, people like the visibility, scalability, and add-on features that ClearPass provides as additional value over the 'free' approaches that come with troubleshooting and 'find out yourself' research costs.
So to summarize, you question can be answered both with a 'yes' as the formal answer, or as a 'no', 'it depends', 'possible but not advised' in most real-world scenarios. Then of course, it depends on the partner to do the proper investigation and provide an honest answer, and the customer to ask the right questions and define the right expectations.
Hope this provided some light on this topic.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).