Good Morning AirHeads...
Over the weekend we had a disk failure on one of our core servers. I got it back up and running, but my RADIUS and Certificate services had to be reinstalled and I had to re-issue the certificate for my Aruba 3400 to use for RADIUS. I was able to do that with th3 802.1x stuff with no problem at all -- everyone who is on our 802.1x WiFi is up and running and happy.
However, we have a captive portal that authenticates back to our Active Directory too... that is not working. I cannot figure out where to go to find out what the issue is... Can anyone point me in the right direction for Captive Portal Authentication via Active Directory (RADIUS)?
We have an Aruba 3400 controller and the RADIUS server is Windows 2008 R2.
Any help is appreciated! Thanks!
The servers you are using for Captive Portal authentications is located under Authentication --> Layer 3 --> Captive Portal Authentication Profile --> Select your profile and check what Server Group is being used. Then confirm this group has the proper RADIUS server in it to reflect your needs.
Yes, it does have the correct Server Group listed.
If it is the same server, then you know the server and shared secret are working fine. You should check the logs on the RADIUS server then to see if it is dropping/rejecting the requests from Captive Portal users. Keep in mind, the request from Captive Portal will be using PAP (or CHAP if you have it set) authentication as compared to PEAP; so your RADIUS policies should reflect this.
Hmm... that might be the issue...
Any pointers on how to do that? Is that in the certificate itself?
Nope, should have nothing to do with the certificate. What RADIUS server are you running?
Windows 2008 R2 NPAS, seems to work fine with the 802.1x stuff... but I set that up based on Aruba's step-by-step instructions... I don't have a lot of experience with it, so finding my way around is really tough for me.
so the proble is not with captive portal page it self, it appears normally ?
can you test it 1st with local db. so we can ignore any issue with captive portal configuration causing any type of faults.
if every thing is fine, then the next step is the following:
is you AD is the same for employee and guests in other words it says authentication successful when you test it from diagnostic window ? if so, then please tell me how many IP addresses configured in your controller, how many gateways and did you check Terminate or not?
There is 1 IP Address for the controller. Yes, the Captive Portal page appears -- but access is denied when the user puts a valid username/password in.
We have a guest login set up with the internal database on a different SSID that works fine. It is just something to do with the RADIUS Captive Portal config and the new certificate...
How do I test it in the diagnostic window? I don't know where that is.
On the server I get the following error with the Captive portal via RADIUS:
The full configurations will vary depending on how you want the NPS server to respond to the requests. I typically have customers create two network policies (or more) for this.
**The following are generic recommendations, I do not know what current conditions you have set for your policy are.
The first would be for secure 802.1x authentications; which you have confirmed you have working.
The second would be for captive portal logons. There would be a couple of changes. At a minimum, the supported authentication type woudl be PAP, not PEAP/MSCHAPv2 as you have for your secure wireless policy. If you need to be more restrictive (for example members of only certain groups can use the captive portal page) you can add additional conditions.
Again, this is not a detailed setup; but if you duplicate your existing Network Policy and change the supported authentication type, that shoudl get you started....you can then work on firming up your conditions for the policy's application. If your current secure wireless policy is returning attributes to the controller (user-role or VLAN for example); you may need to remove or alter these to meet your needs.
I went into NPS -> Policies -> Network Policies -> and selected the Policy. Then I went to Constaints and Authentication Methods. I added Protected EAP, EAP-MSCHAP v2 and checked the MS-CHAP v2, MS-CHAP, CHAP and PAP, SPAP boxes...
It finally seems to work... I think the PAP, SPAP one is what made it work when I did it in the Connection Request Policies... not 100% sure though.
PAP is needed for captive portal by default. So long as you are OK with the policies that way. Often I'll see separate policies with stricter conditions set to differentiate each. Glad it worked out.
Thanks! Now that I have it working again I will start to fine tune them.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.