Wireless Access

I am now meet the following problem

The Aruba AC3200 use the LDAP authencation with the external-AD server. But now some wireless user can not pass the authencation  and some of them 's loggo must be case sensitive. Others little people can pass the authencation smoothly

They take a try that  they use another AC (in another city) to connect the AD server and there is no problem.

I will go to the customer site next week and I can not get the AC's configuration now. I only know the ARUBA 3200's version is 3.x.x . 

May I ask  if someone can provide some idea for me  to solve the problem? And  what can I prepare for  ?

Thank you very much.

What kind of ldap server?

It's the windows 2003 AD . 3Q

The only solution to this is to switch to radius for authentication.  Active Directory's username authentication is not case sensitive, but when using LDAP to connect to Active Directory it IS case sensitive.  If you switch to radius, it will allow users to login with any case.

Hello cjoseph, in another case they mention a "shim" to load inside windows machine, i have the need to authenticate against some LDAP server instead of radius (as i would prefer here) but customer would like to use LDAP . i said "termination" on the controler and choose eap-gtc type , and one of those 2 : eap-tls / eap-peap

after authentication via wpa2-aes/tkip it shows up some certificate to trust (this self-signed controller thingy) but authentication doesnt work.

where to get this shim , im using win7 with the zero-supplicant of win7 , perhaps using intel proset would be the better option here.

regards

The "shim" would be the PEAP-GTC plugin.  You can download this at http://support.arubanetworks.com under Tools for Windows XP, VISTA and Windows 7.  Intel ProSet does support an inner type of PEAP-GTC and is an alternative.

In the long run, loading software on every laptop and configuring it manually does not scale.  If you configure Radius instead of LDAP, you can always use group policy to configure clients in an AD environment automatically without loading software.

yeah i tried witih win7-64bit where i have the full proset package and peap/gtc worked , but im pushed into the wrong vlan and dont know "why" . i the AAA profile i set to "authenticated" and i said the VAP belongs to corporate VLAN , but im getting IP of the guest network and dont know "why"

besides as information i have to server_rules active, cause i cant find the "internal" server rule named "ROLE" , i cant choose it in the list, why ? other name, renamed ? or should it work without any server-rule ?

the default values : Machine Authentication: Default User Role  -> guest   , i didnt change , should i change those also to "authenticated" ? i wonder why im pushed into the guest-vlan instead the VLAN i set in the vap , do you see my error?

regards

You should check your Default 802.1x role in the AAA profile.  You should also check what role the user gets when authenticated and see if that role has a VLAN in it.

Ultimately, you should turn on user debugging to see why it is ending up in that VLAN.

yepp perfect, works, changed from "guest" to "authenticated", well this is just a test but perfect.

cjoseph, thanks again for being 24/7 avail for us (you arent some bot or ? )

rumours (aruba trainers) saying "oh well this guy cjoseph is 24/7 awake always online in the airheads bb") ;-)

regards

benjamin