Wireless Access

Reply
Contributor I
Posts: 30
Registered: ‎01-05-2016

how to configure 802.1x with radius ?

Hello everyone,

 

I am trying to configure 802.1x on AP-225 with a Radius server. AP can see the Radius and communicates with but doesn't match with wanted Radius policy.

 

AP version : 6.4.2.6-4.1.1.11

 

Here is my SSID conf:

 

networkaruba.PNG

ssidsecurity.PNG

 

Radius config :

confradius.PNG

Radius is a Windows server 2008 R2

My radius policy :

 -Condition :

conditionradius.PNG

 - constraint :

constraint.PNG

 

- attributes :

vlanradius.PNG

 

When i try to connect to SSID, i expect it to work with my radius policy but it work with default radius policy. So Radius ask for credentials while I wish it verifies the certificate of the machine.

 

Conditions are met :

 - Same station ID

 - good windows groups

 - goos NAS Port type

 

Anyone has an idea ? omission on radius or/and ssid config ?

 

PS: access logs on radius

radiusevent1.PNGradiusevent2.PNGradiusevent3.png

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: how to configure 802.1x with radius ?

You need to add an authentication of MsChapV2 or PEAP, instead of Smartcard or other certificate.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 30
Registered: ‎01-05-2016

Re: how to configure 802.1x with radius ?

I want it to work with device certificate, not with authentication.

MVP
Posts: 226
Registered: ‎03-03-2011

Re: how to configure 802.1x with radius ?

How does the device wireless profile look?

David
ACDX #98 | ACMP | ACCP
Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: how to configure 802.1x with radius ?

Did you already issue a certificate to your client?

 

The IAP configuration is agnostic to what is configured on your client and Radius Server.  What is configured on the radius server and the client must match.  The IAP configuration is straightforward.  Just make sure you are not enabling termination on the IAP radius configuration.  The client must have "smartcard or other certificate" configured and have a device certificate issued to it.  You have most of the messages blurred out, so it is hard to say what your problem is.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 30
Registered: ‎01-05-2016

Re: how to configure 802.1x with radius ?

[ Edited ]

First, thanks a lot for help.

 

I had a problem with device wireless profile. It did user certificate instead of machine certificate.

I misspoke, it is not device certificate but machine certificate.

 

Now, i can see machine certificate in access logs of the Radius. But it still doesn't match with wanted policy. I think calling station ID condition is wrong, i put .:SSID_NAME$ like i do with Cisco AP but it's probably not the right syntax.

 

Or maybe it's a client/AP problem config, i will try to explain myself, now i have this in access logs :

 

radiusevent4.PNG

 And i expect CalledStationID like this @MAC:<SSID_name>. That's probably why it doesn't match. Something missing on SSID configuration ?

 

Sorry for blurred message, i don't make company policy. What informations do u want to see ?

 

ps : hope you can't read my english :D

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: how to configure 802.1x with radius ?

The @mac:SSID syntax is wrong.  Aruba Instant does not send that information as the username.  You should remove all of the rules and just get it to authenticate, first.  When you do that, you can then enforce rules.  If anything, you can just filter by the nas-ip, if you just want to make sure the Instant AP hits a specific rule first.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 30
Registered: ‎01-05-2016

Re: how to configure 802.1x with radius ?

[ Edited ]

With only a condition on NAS ip, the AP hits a specific rule. But Radius refuses connection :

 

radiusevent5.PNG

I am a bit lost with all explanation i find on google.

 

EDIT : coming from outdating certificate

 

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: how to configure 802.1x with radius ?

Make sure that the radius shared secret is the same.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: how to configure 802.1x with radius ?

The 262 error you are seeing usually means the client had an issue validating the RADIUS server certificate.    Try to disable the "Validate server certificate" on the client supplicant.  If you are able to authenticate at that point, you'll need to take a look at the certificate installed to the NPS server that is used on that NPS policy.      Likely reasons are that the client does not trust it or perhaps it is expired, etc.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: