Wireless Access

We're finally moving away from a PSK environment and want our users to authenticate via LDAP in the most secure way. We do not have a RADIUS server in place and we are a Novell shop (eDirectory OES ). 

 

I have the LDAP server setup with the preferred connection type set to: start-tls. The L2 dot.1x profile has termination enabled, termination EAP-TYPE: eap-tls and eap-peap are enabled.

 

Termination Inner EAP-Type: eap-gtc. 

 

I guess what I'd like to know is: is this the most secure way our users can connect without adding a RADIUS server? 

 

Thanks. 

Yes, but you will require a third-party supplicant for most clients to support EAP-GTC.


Thanks,
Tim

Thanks - what about checking off eap-mschapv2 under the dot1.x profile as well?

 

Idealy we'd like a RADIUS server in place but we really need to move away from our current pre-shared key environment. 

PEAP-MSCHAPv2 is not possible with your configuration. Your only options
with LDAP are:



EAP-GTC

EAP-TTLS (requires a RADIUS server)

EAP-TLS

Thank you. I'm currently testing this out and it's working fine with a blackberry 10 device, Windows 7 and Windows 10 laptops. According to airwave, most of our users (at the moment any ways) are connecting with their androids and ipads. I'm just curious as to how many of our clients will have issues connnecting if they're running fairly new software?

 

Also, would you suggest using captive portal to authenticate against LDAP?

Do you have third party supplicants installed on the Windows 7 machines? Win 7 does not support EAP-GTC natively.


Thanks,
Tim

No we don't...what's the encryption supposed to be set to in the SSID profile? Right now, it's "opensystem" then it brings up a captive portal and enter our LDAP creds. 

Oh, then you're not doing 802.1X. You would set it to WPA2 AES


Thanks,
Tim

ah...ok. Makes sense now. Just an FYI, here's the error message I get:

 

Radius Server: securelogin.arubanetworks.com
Root CA: GeoTrust Global CA

The server "securelogin.arubanetworks.com" presented a valid certificate issued by "GeoTrust Global CA", but "GeoTrust Global CA" is not configured as a valid trust anchor for this profile. Further, the server "securelogin.arubanetworks.com" is not configured as a valid NPS server to connect to for this profile.

This is normal. You'll need to click the connect button.

So this has nothing to do with certificates correct? It's simply because Windows 7 does not have the proper supplicant to support 802.1x authentication?

Yes correct. It has to do with credential hashing.

Hi Tim,

 

We now have freeradius running on sles11 sp3. We'd like our users to connect to our wireless networks using their LDAP credentials. What are the subsequent steps to making this work? Thanks. 

1. You need to map LDAP to your Free Radius. 

2. in COntroller, Add the radius server. 

3. you have to determine where you are going to terminate the EAP. 

4. if its going to be on controller, you can use EAP -TLS or EAP-Peap with mschapv2.  

Thanks. So we have 2 networks: 1 for staff and 1 for students. Once a user's credentials are validated against RADIUS/LDAP how do we prevent a student (let's say) from joining the staff network?

Anyone with edirectory and freeradius knowledge feel free to chime in...The LDAP and RADIUS servers are configured. We'd like our users to authenticate against our wifi networks using their edir credentials and we need the passwords to not be in plain text.. We don't want our students connecting to our staff network.  Tech support at Aruba was not able to help us out. Thank you.

chuckster_ca,

 

EDIT:  obivously I didn't read the question.

 

 

1. Problem is both are authenticating against same server. both are in different group. but we need to differenciate the two radius request to validate them against two differnt user-group.

2. you can use ARUBA-ESSID attribute on the radius request to differentiate the users

             say User connect to student SSID --> radius req will have essid as student--> Create policy in the radius server that if aruba ESSID == student then check if the username belongs to student group.

3. Another way of doing it is using NAS -ID.

       Create 2 radius server on controller, with same IP and key. but differnt NAS-ID,say student and STaff. map it to differnt servergroup and to the aaa profile.

     So when student tries to auth, he will carry NASID as Student on radius req. SO create a policy in the radius server that if the NAS ID = student then cehck for user in student group in AD.

 

Hope that clears  your query. ALso let me know the case number with TAC and i will review it.