Controllerless Networks

last person joined: yesterday 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Radius Authentication with IAP-135

  • 1.  Radius Authentication with IAP-135

    Posted May 05, 2014 04:30 AM

    I am trying to do 802.1x authentication with IAP-135, which is RADIUS Server to talk with IAP-135.

    i have setup a RADIUS Server (via Windows Server 2012)

     

    I am confused with the IP assignment.

     

    1. When I configure 802.1X, I created a RADIUS client. The IP address of this RADIUS client should comes from IAP-135 (Master).

     

    2. When I clicked on the 'Security' tab - Authentication Server, I created a RADIUS Server. This IP address should come from the IP address of my RADIUS Server (WIndows Server 2012)

     

    Am I right? Any misconfigurations? Any missing steps?

     

    When I login to Instant User Interface, I discovered there is a client available on the instant network. The IP address of this client belongs to?

     

    Pls advise.



  • 2.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 05:46 AM

    Did you setup a WLAN?  If you did not, the initial "Instant" SSID is still broadcasting and accepting clients.



  • 3.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 05:50 AM

    I have a created  WLAN, domain: WLAN.net.



  • 4.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 05:55 AM

    Did you delete the instant WLAN, or is it still broadcasting?



  • 5.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 06:00 AM

    I created a new SSID = TestIAP, now the Istant SSID is erased.



  • 6.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 06:43 AM
    Add VC IP address and add that as the radius client , make sure you enable dynamic radius proxy under the system settings


  • 7.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 09:52 PM

    Dynamic radius proxy = enabled.

     

    But the IP address of Virtual Controller should not 0.0.0.0 .

    This IP address comes from where?

     

    Please advise.



  • 8.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 10:26 PM

    What is the reason for enabling  dynamic radius proxy?



  • 9.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 10:39 PM

    enabling dynamic radius proxy is so that source IP address is always that of the virtual controller so you will only need one client entry on your radius server; this is no matter what access point a client authenticates to.  Where do you see 0.0.0.0?



  • 10.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 11:02 PM

    Under the system's settings, General tab.



  • 11.  RE: Radius Authentication with IAP-135

    Posted May 05, 2014 11:27 PM

    When I install Certificate Authority, the setup type is standalone. I can't select Enterprise type. Could this be the root issue?



  • 12.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 05:57 AM

    Suggestforme,

     

    You can make that any ip address on the subnet.  Consider it the consistent address that the Virtual Controller will have, no matter which IAP is the master controller.  http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/virtual_controller/Virtual_Controller_IP_Ad.htm

     

    When you have enable dynamic radius proxy enabled, it also will always be the source ip address of radius authentication to your radius server.



  • 13.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 06:42 AM

    cjoseph,

     

    I followed the steps listed in this link,

    http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

     

    However, the server I am using is Windows Server 2012.

     

    I can't authenticate against my Windows Server 2012.



  • 14.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 06:47 AM

    Do not enable termination on instant.  You should try authenticating with a smartphone first.  Do you see anything in the eventviewer in the Windows 2008 server?

     



  • 15.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 06:56 AM
      |   view attached

    cjoseph,

     

    There is no events displaysed on Event Viewer in Windows Server 2012.

     

    But my WLAN.net network (in the WIndows Server 2012) shows limited access. See screenshot.



  • 16.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 07:02 AM

    Are you trying to authenticate a server to the wireless?  Limited access means that there needs to be DHCP on that VLAN.



  • 17.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 08:34 AM

    Yes, I am  trying to authenticate the Windows Server 2012 to the wireless?

     

    I did the DHCP configuration too, it shows an error msg.



  • 18.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 08:37 AM
    You should start by authenticating a smartphone to the wireless, not a server.

    If you do not see anything in the event viewer, you do not have the radius server in the IAP pointing to your radius server you are using for authentication...


  • 19.  RE: Radius Authentication with IAP-135

    Posted May 06, 2014 11:15 PM

    cjoseph,

     

    I am try to perform Layer 2 authentication with RADIUS Server with IAP-135.

     

    How should I go about doing it?



  • 20.  RE: Radius Authentication with IAP-135

    Posted May 07, 2014 04:33 AM

    Suggestforme,

     

    Please look at this link here: http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/WLAN_SSID_conf/ConfiguringSecuritySettings.htm to look at the necessary parameters.



  • 21.  RE: Radius Authentication with IAP-135

    Posted May 07, 2014 05:30 AM
      |   view attached

    cjoseph,

     

    I am confused with the IP assignment.

     

    1. When I I created a RADIUS client in NPS(Windows Server). The IP address of this RADIUS client should come where?

     

    2. When I clicked on the 'Security' tab (in Instant UI) - Authentication Server, I created a RADIUS Server. Does this IP address should come from the IP address of my RADIUS Server (WIndows Server 2012)

     

    3. I opened DHCP Manager, I clicked on Scope (refer to attached screenshoot). I saw 2 address pools. What does the range of this IP addresses imply? Please advise.



  • 22.  RE: Radius Authentication with IAP-135

    Posted May 07, 2014 05:32 AM

    cjoseph,

     

    I looked at the attached link and followed the instructions, I can't seem to authenticate RADIUS Server to "talk" with IAP-135



  • 23.  RE: Radius Authentication with IAP-135

    Posted May 07, 2014 05:56 AM

    1. When I I created a RADIUS client in NPS(Windows Server). The IP address of this RADIUS client should come where?

     

    that should be the IP address of you virtual master IAP, if you have just one, that IP

     

    2. When I clicked on the 'Security' tab (in Instant UI) - Authentication Server, I created a RADIUS Server. Does this IP address should come from the IP address of my RADIUS Server (WIndows Server 2012)

     

    yes that should be the IP of your radius server

     

    3. I opened DHCP Manager, I clicked on Scope (refer to attached screenshoot). I saw 2 address pools. What does the range of this IP addresses imply? Please advise.

     

    that is a bit out of scope for us, it is your network, you should know what is going on or ask someone who can tell you.

     

    basically it shows two dhcps scopes, one in the 10. range and one in the 192.168. range.


    it might be better to start a little simpler, create an open network or one with a WPA2 key and get that working. ones it works you can look at dot1x.



  • 24.  RE: Radius Authentication with IAP-135

    Posted May 07, 2014 09:57 PM

    boneyard,

     

    I managed to create an open network in the Instant UI.

     

    I would like to focus on doing 802.1x authentication.



  • 25.  RE: Radius Authentication with IAP-135

    Posted May 08, 2014 02:15 AM

    creating is one thing, but were you able to connect with a client and get network access?

     

    as for dot1x, what exactly is holding you back now, you asked two questions about which IPs to use, those answers you have now. what isnt working, have you tried to connect? what happens?

     

    NPS is a radius server, but the reporting isnt that good. have you checked the event viewer for radius related messages?



  • 26.  RE: Radius Authentication with IAP-135

    Posted May 09, 2014 05:52 AM

    Hi boneyard,

     

    With the issue on IP address assignment, I can't perform L2 authentication with Aruba Instant. That's holding me back.

    I followed the steps configuration.



  • 27.  RE: Radius Authentication with IAP-135

    Posted May 09, 2014 05:59 AM

    what issue of IP assignment? doesn't your IAP get an IP? sorry but you lost me. if you feel up to it please try to clearly describe what your current issue is.



  • 28.  RE: Radius Authentication with IAP-135

    Posted May 09, 2014 07:21 AM

    Hi bomeyard,

    Let's go the basics:

     

    I want to perform 802.1x authentication, therefore,

    my supplicant: my working laptop

    my authenticator: my IAP-135 device

    my authentication server should be my windows server 2012 (correct me if I am wrong).

     

    Currently, I managed to create a Test SSID - (VC assigned IP, open, unrestricted.)
    Instant SSID has been erased.

     

    I created a server - Test.wlan.net (domain), with my IP address: 10.10.10.201 (I assume this is my RADIUS Server.)

     

    In Open UI, under System Settings, I added an authentication server which the ip address should be my RADIUS Server.


    My VC IP for Open SSID shows: 0.0.0.0

    Master: 169.252.254.98 - This master IP is?

     

    By right, when I click on Open SSID, I should be ask for my credential (PSK) to authenticate?  Am I right?

     

     



  • 29.  RE: Radius Authentication with IAP-135

    Posted May 09, 2014 07:39 AM

    i would assume the IP is a bit different and an auto assigned apipa ip which means your dhcp doesnt function, can you check that when you connect a laptop in that network where the IAP is now it gets a good DHCP address?

     

    how many IAPs are in the network? just one, nothing else around?

     

    also an open network doesnt have a PSK, it is just open. a WPA(2) network would ask for a key.

     

    you can configure the VC address your self if you want to.



  • 30.  RE: Radius Authentication with IAP-135

    Posted May 11, 2014 10:53 PM
      |   view attached

    Hi boneyard,

     

    I only have one AP - IAP-135

     

    The Test SSID which was created, the Security Level is Open, Role: Unrestricted.

     

    I have attached a screenshot of Test SSID details.

    No good DHCP address found.



  • 31.  RE: Radius Authentication with IAP-135

    Posted May 12, 2014 02:31 AM

    you attached a screenshot of the windows IP settings which seem to be ok, you get an IP and not an odd one in my opinion.

     

    what is the problem?



  • 32.  RE: Radius Authentication with IAP-135

    Posted May 14, 2014 02:56 AM

    Hi boneyard,

    Now I have connected my IAP-135 to a switch. (Switch can ping to IAP-135 & DHCP Server)

    Switch cannot ping to NPS.

    IAP-135 with the IP add: 192.168.X.X

    Setup a DHCP-client with the IP add: 192.168.X.X

    NPS(RADIUS) also connected to a switch too, with IP add: 192.168.X.X

    IP addresses are of the same subnet mask, should be able to ping.

     

    My NPS and IAP-135 does not communicate. Destination host unreachable.