Wireless Access

Hi,

I am working with a customer who implemented LDAP with AOS6.1.2.4, using Radius was not an option, I have them using the PEAP-GTC plugin found on the Aruba Support page.  Client is using XP and Windows 7. I had them setup the client exactly as stated in the Aruba PEAP-GTC User Guide.

 

When they try to connect, they get splashed with box asks them to "Terminate" or "Connect".  If connect is chosen, it goes into a continual loop. If terminate is selected,  they get a "Connecting to (name of network" and a Enter credentials box pops up and when they try to enter credentials, it fails.  I have had the user test connectivity  with their credentials from within the Aruba Controller using the Diagnostic tool used for testing username and passwords to an  External server.

 

What is the correct process for a client using the Aruba PEAP-GTC plugin?  Is there a way to save credentials so they don't have to enter them everytime in Windows?

 

Thanks.

Windows should save the credentials automatically. It will only ask you for credentials if they are incorrect. Have you ever gotten this to work?

Yes, I did get it to work before I left the customers location. I tested it with a customers Windows 7 machine.

 

I believe when the most recent issues popped up, the customer was testing someone elses credientials on their machine. Is there an issue with that?

---

@syurick wrote:

Yes, I did get it to work before I left the customers location. I tested it with a customers Windows 7 machine.

 

I believe when the most recent issues popped up, the customer was testing someone elses credientials on their machine. Is there an issue with that?

---

Only if the credentials are incorrect.  Windows should automatically cache the credentials after connecting successfully.  Is this a Windows Domain?

Yes, sorry I forgot to include that in my original post.  It is a Windows domain, running Server 2003.

 

I am having the my customer try authenticating using the diagnostic tool in the controller to rule out improper credentials.

 

Not sure if it matters but I am using "Clear-text" as the preferred connection type for the time being.  If I were to change that to LDAP-S, what would I need to do to make that work? go out and get a cert to and apply it onto the controller in the 802.1x profile? Or can the controller use the built-in cert when using LDAP-S?

---

@syurick wrote:

Yes, sorry I forgot to include that in my original post.  It is a Windows domain, running Server 2003.

 

I am having the my customer try authenticating using the diagnostic tool in the controller to rule out improper credentials.

 

Not sure if it matters but I am using "Clear-text" as the preferred connection type for the time being.  If I were to change that to LDAP-S, what would I need to do to make that work? go out and get a cert to and apply it onto the controller in the 802.1x profile? Or can the controller use the built-in cert when using LDAP-S?

---

With LDAP-S the only certificate would be on the LDAP server.  No cert is required on the controller; it will accept any non-expired certificate from the ldap server during the transaction.  Just change the auth port to 636, which is the port that ldap-s communicates over.

 

Last, but not least, please consider using Radius on the Windows 2003 server instead so that you would not have to configure eap-gtc on each client.  In addition, it provides a more seamless experience on your clients.   Detailed instructions for this are here: http://community.arubanetworks.com/t5/Authentication-and-Access/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M80

So, must I have a certificate on the LDAP server to run LDAP-S?  Or can I just change the preferred connection method to LDAP-S on the controller and the port number and it should be good to go?

 

This is a small deployment with limited number of users 10-15 using the internal SSID so rolling out to the entire company is not an issue at this time.

 

 

 

---

@syurick wrote:

So, must I have a certificate on the LDAP server to run LDAP-S?  Or can I just change the preferred connection method to LDAP-S on the controller and the port number and it should be good to go?

 

This is a small deployment with limited number of users 10-15 using the internal SSID so rolling out to the entire company is not an issue at this time.

 

 

---

Yes, you must have a certificate on the LDAP server:  http://support.microsoft.com/kb/321051

 

 

Update:

 

Credentials passed on the Diagnostic tool test.  Win XP client working without issues. Only experiencing issues in Windows 7.

 

I will attach what the client is getting in Win 7.  Shouldn't they just click "Terminate" here?

Is there a option/setting for the Wireless network in Windows 7 to bypass this pop-up?

 

 

 

What happens when you click "Connect"?

 

In the wireless profile can you uncheck "Validate Server Certificate" and see if it works (should not do that in practice, but try it)?

Eventually on the windows 7 machines after that pop-up loops a couple times, the credentials box pops up for the user to authenticate.

 

This looping behavior is ok for the admin to connect but they are concenered about users being annoyed by having to click through it.  Any thoughts on how to reduce that behavior?

 

Had them try disableing the valid server cert and no luck.

Customer purchased a SSL cert under recomendation from the TAC.  They are still experiencing issues on Win7 machines only, XP and Vista and MAC's are perfect.

 

This sounds similiar to this thread: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/LDAP-connectivity-problem-with-Aruba/td-p/9514/highlight/true

 

 

any thoughts from anyone on how to fix this?

---

@syurick wrote:

any thoughts from anyone on how to fix this?

---

They need to continue to work with TAC to resolve the client issue.  TAC has all of their information, and on the face of it, it should work.  If there is a new issue based on customer configuration, software, patches, etc, TAC is much better positioned to figure it out than us guessing here.  

 

Of course, if anyone has any ideas, that would be good, too.

 

Issue resolved. 

 

If the user hit "connect" 3 or 4 times it would eventually bring up the correct login box and user would authenticate just fine.  This behavior was bothersome to the end users. As when they disconnected or shut off their wireless they would have to be splashed with the "terminate" or "connect" box in the same annoying pattern.

 

For those folks who are curious to know what the fix was for future use, it was a simple check box on the Windows 7 client on the settings for the wireless network ,  Need to check off the box  "connect when this network is not broadcasting" . 

 

After doing that, users were able to re-authenticate in windows 7 without having to ever see that awful "terminate" or "connect" box again.

 

It took a site visit to the customer to figure this one out.

So the  network is NOT broadcasting, then?

Does Windows 7 client support PEAP-GTC? A couple of years ago we had to install Intel Proset in every laptop because Windows XP's wireless client only supported PEAP-MSCHAPv2...

---

@samuel.perez wrote:

Does Windows 7 client support PEAP-GTC? A couple of years ago we had to install Intel Proset in every laptop because Windows XP's wireless client only supported PEAP-MSCHAPv2...

---

Aruba has a PEAP-GTC shim for Windows 7 and Windows XP on the support website.