Wireless Access

Reply
MVP
Posts: 501
Registered: ‎04-03-2007

Different RADIUS servers for EAP-PEAP vs. EAP-TLS

Does anyone know of a way within ArubaOS to pass authentication requests to different RADIUS servers based on the EAP type used? Assumptions are that all users are using the same 802.1X SSID and that no users have a domain/suffix/etc as part of their username.

 

In other words:

  • if the user sends their username/password via EAP-PEAP authentication, send the RADIUS request packet to Server#1
  • if the user sends a certificate via EAP-TLS authentication, send the RADIUS request packet to Server#2.

 

I'm thinking this is not possible, as the server delineation within AOS server-groups seems based on FQDN or auth-string only.

 

If anyone has insight on this, I'd appreciate it!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

You are correct.  There is no way to make a decision based on EAP Type in the controller.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

You cannot do this in the controller.  You'd need to setup a RADIUS proxy server to be the intial point of contact for RADIUS clients (the controllers).   The proxy could then evaluate the request and pass it along to the appropriate RADIUS server based upon authentication type (or other conditions).

 

You can also setup the RADIUS server to support both types of authentication (assuming it can access appropriate directories for both types of auth).

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 501
Registered: ‎04-03-2007

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

We have Microsoft IAS, and it doesn't seem it supports the needed attributes in order to determine EAP type. :-(
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

Did you want to put users in a different role, based on EAP Type or you wanted to have separate servers doing PEAP vs. TLS..?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 501
Registered: ‎04-03-2007

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

The latter. Different servers.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

[ Edited ]

This is nowhere near a complete solution, but if the usernames on your TLS certificates present themselves differently than your PEAP usernames, you can do this;  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-623

 

For real PEAP/TLS differentiation of course, you would need a full-featured radius server...  If only we had one... ;)



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

IAS is limited in its forwarding conditions; NPS has some added capabilities around authenticaiton methods.

 

can you give us a little more info on your setup....for example....

 

The users who have certs; is there any commonality to the Subject name of the cert that might differentiate them from the other users?  Any domain names or anything?

The two remote sources; are they both AD?  Different domains?

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 501
Registered: ‎04-03-2007

Re: Different RADIUS servers for EAP-PEAP vs. EAP-TLS

Colin, I know about ClearPass, and that is part of this. The idea is to have only a subset of users (my department) using CP for EAP-TLS and have the rest of the population continue to use IAS for EAP-PEAP.

These users can associate from anywhere, so can't use geography (ap groups) to differentiate.
Can't use arubaOS to differentiate between TLS/PEAP.
Usernames are the same on PEAP and TLS so can't differentiate there.
No domains are used, so can't separate based on realms.

The point is to trial ClearPass without having all auth go through there. But, doesn't look like there's another option, given the requirement to continue having mobility for the TLS users.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: