Wireless Access

Dear Experts, 

Is there anyway to perform 802.1x authentication directly with AD without using any 3rd party Radius server such as MS NPS or ClearPass? I have read that it requires EAP-GTC but then i have also received feedback from existing clients of our competition R.... and C.... that they are doing it already on their controllers without any Radius server and without GTC.

Is it possible somehow to achieve this?

------------------------------
owais iqbal
------------------------------

Yes, you can do 802.1X with users in the internal database (PEAP-MSCHAPv2), you can even do EAP-TLS on the controller, and you can do EAP-GTC against LDAP accounts. While this is possible, you probably don't want to deploy it like this with few exceptions.

For EAP-PEAP-MSCHAPv2, you need access to the password hashes, and that is in AD only available to systems that are joined to the domain. I don't think you want to join your APs or controllers to the domain. Having said that, you should not deploy EAP-PEAP-MSCHAPv2 with very few exceptions as your user credentials (password) is at risk unless you locked down your clients and have full control over them. Use EAP-TLS wherever you can.

Having a RADIUS server also has big benefits, like centralized logging of devices and users getting on your network, account control, and authorization based on more than just the username.

Can't speak for competition, can tell it is a bad idea in most cases. There are many features that can be done but should not in a best-practice situation. Please reach out to your Aruba partner or Aruba SE to discuss your use case and how to explain this to your management/customers.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 22, 2021 01:14 AM
From: owais iqbal
Subject: ArubaOS 8.7 - 802.1x with Active Directory w/o external Radius

Dear Experts, 

Is there anyway to perform 802.1x authentication directly with AD without using any 3rd party Radius server such as MS NPS or ClearPass? I have read that it requires EAP-GTC but then i have also received feedback from existing clients of our competition R.... and C.... that they are doing it already on their controllers without any Radius server and without GTC.

Is it possible somehow to achieve this?

------------------------------
owais iqbal
------------------------------

MS NPS is not third [party and is Microsoft's solution for how AD integrates with 802.1X

ArubaOS controllers can terminate RADIUS internally though, I believe. That is external to AD though and involves an Aruba solution..

------------------------------
Bruce Osborne
------------------------------

Original Message:
Sent: Feb 22, 2021 01:14 AM
From: owais iqbal
Subject: ArubaOS 8.7 - 802.1x with Active Directory w/o external Radius

Dear Experts, 

Is there anyway to perform 802.1x authentication directly with AD without using any 3rd party Radius server such as MS NPS or ClearPass? I have read that it requires EAP-GTC but then i have also received feedback from existing clients of our competition R.... and C.... that they are doing it already on their controllers without any Radius server and without GTC.

Is it possible somehow to achieve this?

------------------------------
owais iqbal
------------------------------