Wireless Access

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-29-2012

local termination dot1x

Hi, we have local termination enable on the controller for dot1x. We need to enforce machine auth so we need to turn local termination off.  The build engineer enabled it originally as the windows xp clients would not authenticate when it was switched off originally.  Once he enabled local termination the clients authenticated ok.  Can someone advise on why the clients may not be able to authenticate succesfully without local termination?

 

thanks

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: local termination dot1x

That is because your external radius server does not have a server certificate that your clients trust.  Please install a server certificate on your external radius server.

 

http://community.arubanetworks.com/aruba/attachments/aruba/authentication-and-access-control/1390/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-29-2012

Re: local termination dot1x

thanks for the reply, i didn't think we were required to use certificates?  are they mandatory if we don't want to use local termination?

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: local termination dot1x

Yes.  A single server certificate on your radius server is mandatory in your situation, yes.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-29-2012

Re: local termination dot1x

can i just check one more thing, sorry if i'm being a bit stupid here probably my lack of understanding.  Can you validate the following approach i'm going to take: -

 

We will use a windows 2003 CA server to generate a certificate

we will install this on the windows 2003 IAS server

we will via group policy ensure the windows xp clients trust the windows 2003 CA

we can then disable local termination on the controllers and hopefully machine authentication will now work?

 

thanks

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: local termination dot1x


j_moss_home wrote:

can i just check one more thing, sorry if i'm being a bit stupid here probably my lack of understanding.  Can you validate the following approach i'm going to take: -

 

We will use a windows 2003 CA server to generate a certificate

we will install this on the windows 2003 IAS server

we will via group policy ensure the windows xp clients trust the windows 2003 CA

we can then disable local termination on the controllers and hopefully machine authentication will now work?

 

thanks


It is slightly better than that:

 

If your Windows 2003 Ca is an Enterprise CA (by default it is), clients will automatically trust the Windows CA.  The only gotcha is that they will trust it within the first Group Policy refresh period, so you might have to do a "gpupdate /force" on the commandline if those devices have not refreshed their grouop policy.

 

You can then disable local termination and machine authentication should work, Yes.

 

Please see the PDF in the post here:  http://community.arubanetworks.com/t5/Authentication-and-Access/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M80 for detailed instructions.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 14
Registered: ‎10-29-2012

Re: local termination dot1x

awesome, thanks for the quick response and your help!

Search Airheads
Showing results for 
Search instead for 
Did you mean: