Wireless Access

Hi all -

I'm trying to fix an issue with my essid configurations - I currently have 2 essids:

1 - corp - all pcs connect to this network, it's using mac and user authentication thru active directory

2 - mac - all pcs/linux systems connect to this network - it uses the internal database and user auth thru AD

So my problem is I need to get everybody using corp and drop the mac essid because of issues with split tunneling on remote aps due only having 1 profile on the the remote ap config (I think that is the only way they can be done - but if I'm wrong - please let me know)

So here's the question - in the AAA profiles, I see that there is an L2 Authentication fail thru - if I check that, add the mac authentication profile (for the mac) and the mac authentication server group being local db (just like the mac essid profile is configured) will:

1. All systems work on corp now

2. What kind of access delays can I except when people are connecting to wireless?

Lirria

Why you just dont use 802.1x with EAP PEAP?

Depending on the user you can give it a role, or differnet access to the internal network..

You should be able to put everyone on the CORP SSIDs...

You should not use mac authentication... as aruba recommends agains the use of it... just use 802.1x and you should be all good...

If you want really high security use 802.1x TLS.  EAP PEAP would be like a HIGH security....

Mac authentication is really easy to crack...

I realize that mac authentication can be forged - so we also require AD user name/password for the Mac/Linux clients because they are not part of the domain.

For the PC's we use machine auth and AD user name/password for a double check.

Both are using  EAP-PEAP

User roles are based on passing both authentication checks for the systems (and yes we do monitor for mac spoofing).

I unfortunately need to have 2 checks on each type of system to be allowed on the network and that is where my problem is coming from. If you can provide another method of ensuring 2 checks I would appreciate it.

Do you happen to know the repercussions of checking the L2 authentication fail through in this situation?

Lirria

Yes there is other methods but your issue are linux clients...

IF you had all windows, you could do computer authentication... which will check if the Computer is on the Active directory group you select on the NPS...

Another method of validating(not really but still tell you)

You can tell the aruba controller that if the user is not using DHCP he wont let the user to connect... with the DHCP Enforment...

We were also asked for 2 methods of authentication in a bank, but they are all windows... so i was able to do with the computer enforment... but in your case you got linux clients right?

Yes unfortunately I have Linux and Macintosh clients that I have to allow full access to the network - the windows systems work wonderfully.

Lirria

its looks like you have no other option than using also mac authentication....

But you will just be able just to add 4000 entries on it.

That's fine - right now I have less than 100 systems to manage that way so it's been pretty easy. Any thoughts on how to configure the profile so that both mac authentication and machine authentication can work using the same ssid? I've only been able to get it to work on 2 different ssids.

Lirria

When you mean machine authentication you mean 802.1x EAP PEAP ? becasue there you are not authenticating the machine, you athenticating the user.

I use both machine auth and eap/peap to authenticate both the machine and the user.

Lirria

Really?

i didn tknow you could do that

I mean you can authenticate Machines but with the enforce mahcine, and it works with the AD and NPS,

How do you authenticate machines without the enforce machine? i mean with linux computers?

For the Mac/Linux clients we use the internal data base to provide Mac Authentication and the mac authentication server being internal - add to that the 802.1x authentication group being the AD Radius server and it works.

Lirris

ahhh well you using the mac authentication there :)

Okay okay :)

Anyways i got your quesiton

i dont see the issue here then

You already got 2 layer 2 authentcation

mac authentication  and 802.1x peap eap authentication

Now quesiton you were using

on SSID1

Machine authentcation  + 802.1x eap peap

on second SSID you were using

mac authentcation + 802.1x

I am right?

and now you want on the same SSID

mac authentcation + machine authentication + 802.1x eap peap.  ? right?

Correct :)

Sorry like most of us I"m bouncing between 5 issues and should have listed the configuration a bit better.

LIrria

Okay

Look when the Machine authentication is working you know that he adds a entry to the Internal databse(have you notice it?)

That entry stay there for 24 hours by default.... if the wireless controller look that entry on his database he wont ask  for this authentication... he will just let pass that machine... When it expired then he will ask for that machine authentcation which only occuers when someoen log off and log on.

As far i remenber as user he uses the mac address but i dont know what password he creates.... for it...

Now i dont see your trouble with it...

Just dont use machine authentication

Add all the windows machines on the internal database of the wilreses controller

You will have

Mac authentication + 802.1x EAP PEAP  Which is 2 methods of Layer 2 authentication which is what your goal is.

This does not work for you? if not why?

Cheers

Carlos

Well partly the whole adding 325 mac addresses is kind of a bummer - but that a side, having the 24 hour reauthentication is really quite handy to keep people refreshing that and getting a backup of their computer when they log back in.

If that is the only way, I may have to do that - I was really hoping not to have to manage each new system that is added into the domain - we have 13 locations world wide and getting the mac addresses from the remote locations is challenging at times.

If that is the only solution, then I will just have to leave it as is and figure out a way to get the split tunneling to work properly for the systems using Mac auth (local db) and Eap-Peap

Lirria

Larry before giving up open a support case

Do you have an account?

Or wait for a lil bit maybe Collin got an idea! :) you can wait him to reply on this tread....

I know adding all those macs is a bummer... and also the managment becasue then you will have to manually delete the mac addreses of the oens that leave the company or something like it... i never recommend using it...

Actually i dont see why they are asking for 2 method of authentication... If they want really high method of authentication then they should just use EAP TLS.... and that shoudl be enough.. because like i said... mac authentication is easy to crack...

IF someone can go over EAP PEAP beallive me he can get in with or without mac authentcation....

I know - I was a bit surprised when we had a security audit and the folks that came in said they could hack the network with no problems and they failed almost completely on wireless - they tried spoofing the ssid and had 1 person connect and click accept on their certificate but couldn't get the password to get on the network. Then they wanted the mac address of one of the other ssid's that I use that has super restricted mac/password access and they couldn't crack that one either - that did make me feel a bit better about the whole system.

I'll see if Collin has some time to catch up on this post - if not I'll go ahead and enter a service request. Just thought I would try the community first.

Thank you!

Lirria

If you using EAP PEAP be sure you have it configured this way

http://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/td-p/43398

Guess you have already configured it this way but still just in case

Cheers

Carlos

Super - I'll take a look over that in the am and see if we are good.

thanks!

Lirria

I ended up changing my Virtual AP profile (actually adding in a second one for my Macintosh/Linux clients) changing the settings on it to reflect the split tunneling and it seems to be working.

Lirria