Wireless Access

Aruba 7010 (firmware version: 6.5.4)

 

we are planning to configure SSID with do1x authentication.

 

our requirement is, once user connect to SSID (open) immediately the user need to get the username & password (there active directory username and passsword need to enter) based on authentication able to have network /internet access.

 

also we need to  restrict SSID access based on MAC address of the device.

once we connect to SSID immediately we need to get the authentication option (refer the attachemnt).

for 802.1x, your SSID will not be open, it will WPA2-Enterprise protected. Since you want users to enter in a username and password. This would be EAP-PEAP.

It would ask you to enter in the username/password the first time you connect and remember it after that unless you go modify the network settings for that SSID.

hi pmonardo, could you please a brief idea about the step by step configuration of AAA profile, 802.1x authentication profile, MAC Auth Profile, SSID Profile (our aim is MAC uthenticated device need to get the username & password prompt to authenticate with AD)

hi pmonardo, we have succesfully configured WPA2-Enterprise SSID (dot1x authentication) and users from  windows 10 operating systems was able to connect ssid but for windows 7 users SSID not connected (and not getting username  & password prompt also) and getting error message was "windows was unablt to connect to SSID"

 

error mesage is attached.

 

we found some refercence (https://www.youtube.com/watch?v=orwvRxj0jFM&ab_channel=NicholasCountySchools) for this issue, says as we need to manually configured the ssid on windows 7 os.

 

could you please clarify this.

Hi Shayan,

 

for a solution like that you'll need a radius-Server that checks the validity of the user credentials. Here i recommend a virtual Windows-Server in HA on eg. VMWare or Hyper-V with NPS-Services (which is relatively easy to implement and understand). 

As second i always implement a AD/LDAP-PKI for automated KEY deployment from the AD-DCs to the RADIUS-Server(s) and sometimes even to all the clients (for Certifikate-Based-Login).

Now the Login on the SSID should work fine, if you created a SSID with 802.1x auth and registered the RADIUS-Server with a working security-Secret.

At last you can create MAC-Filters maybe just on the DHCP-Server. Doesn't matter if you use the Wiindows-DHCP or the one on the controller (i prefer the Windows-DHCP) as it ist easiert to maintain/administer...

Optional:

With this done you can then create GPOs to automaticly deploy the Wireless-Rules so that AD-SSO will work on all the clients after a "gpo update".

This works like a charm on many locations i implemented successfully...

Hi FHegnauer, thanks for the quick response.

yes we have already integrated our Domain controller (installed Radius server on domain controller and added as a Radius server on Aruba WLC) with Aruba WLC for captive portal authentication (SSID with PSK and internal captive portal authentication) and its working fine.

 

now for new SSID we are planning Dot 1x SSID, could you please clarify following

 

1. can we use same radius server for Dot1x authentication.

2. on user pc is there any certificate we need to install (any certificate exported from authentication server).

3. we are planning to use DHCP server from Aruba, we didnt find to to create MAC-Filters for MAC binding.

4. what is the AAA profile configuration

5. why we need to create a GPO on DC (is there any policy required)