Security

last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Restricting Authentication Type on SSID

Jump to Best Answer
  • 1.  Restricting Authentication Type on SSID

    Posted Jan 09, 2012 11:19 AM

    Hi,

     

    Aruba 620, AP105, ArubaOS 5.0.4.2.

     

    I have two SSID's "USER" & "CERT" I want to restrict the USER SSID so that it will only Authenticate PEAP-MSChapV2 and the CERT SID so that only users certificates can be used. The dot1x profiles are configured as below:

     

    aaa authentication dot1x "CERT-dot1x_prof"   

    termination eap-type eap-tls

    !

    aaa authentication dot1x "USER-dot1x_prof"   

    termination eap-type eap-peap   

    termination inner-eap-type eap-mschapv2

     

    The issue is I can Authenticate on either SSID using either Authentication method.

     

    What possible solutions are there to this issue?

     

    Regards,

    Nigel



  • 2.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 11:33 AM

    @Nigel.Kemp@uk.fujitsu.com wrote:

    Hi,

     

    Aruba 620, AP105, ArubaOS 5.0.4.2.

     

    I have two SSID's "USER" & "CERT" I want to restrict the USER SSID so that it will only Authenticate PEAP-MSChapV2 and the CERT SID so that only users certificates can be used. The dot1x profiles are configured as below:

     

    aaa authentication dot1x "CERT-dot1x_prof"   

    termination eap-type eap-tls

    !

    aaa authentication dot1x "USER-dot1x_prof"   

    termination eap-type eap-peap   

    termination inner-eap-type eap-mschapv2

     

    The issue is I can Authenticate on either SSID using either Authentication method.

     

    What possible solutions are there to this issue?

     

    Regards,

    Nigel


    Nigel,

     

    The "termination" options are not in effect unless you enable the "termination" option in the 802.1x profile.  With that being said, if you enable termination, you will have to upload a server certificate to the controller,  for the controller to do EAP-TLS and/or  EAP-PEAP.  Please see how you would obtain and upload those certificates in the thread here:  http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Question-about-the-802-1x-certificate/m-p/17954/highlight/true#M386

     



  • 3.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 11:50 AM

    Hi,

     

    I did not mention an important bit of information.

     

    Authentication is being done by a W2k3 IAS Server, everything is working perfectly except that either authentication method can be used on either SSID.

     

    Does this alter the need for a Server Cert on the Controller.

     

    Regards,

    Nigel



  • 4.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 11:54 AM

    Okay,  If it is being done on the server, forget the termination portion.

     

    Here is the tricky part:

     

    On the IAS server, do you have a single remote access policy that has both EAP types in it? (PEAP and Smartcard)



  • 5.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 12:51 PM

    I have two policies one for computer auth using PEAP-MSChapV2 the other doing User Auth for PEAP-MSCHAPv2 and Certificates.

     

    I did have seperate policies for User PEAP & Cert auth but this config would only allow one or the other to Authenticate.

     

    Regards,

    Nigel



  • 6.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 12:58 PM
    Yes. That is the biggest problem with this. For TLS are you issuing machine and user certificates?


  • 7.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 01:00 PM

    Issuing User Certs



  • 8.  RE: Restricting Authentication Type on SSID

    Posted Jan 09, 2012 06:18 PM

    Okay.  So unless you are using Termination on the Aruba controller, you cannot enforce the inner EAP type on an SSID.



  • 9.  RE: Restricting Authentication Type on SSID

    Posted Jan 10, 2012 04:26 AM

    Having a seperate Radius Server for each SSID (one allowing PEAP only the other Smart Card & Cert) should provide the control I require.

     

    The actual requirement is to control the access of the devices authenticated using certificates (iPads). I am unable to upgrade to ArubaOS V6 as there are too many 800 controllers in the network.

     

    Are there any other methods that could be used to achieve the desired result.

     

    Regards,

    Nigel



  • 10.  RE: Restricting Authentication Type on SSID

    Posted Jan 10, 2012 05:57 AM

    @Nigel.Kemp@uk.fujitsu.com wrote:

    Having a seperate Radius Server for each SSID (one allowing PEAP only the other Smart Card & Cert) should provide the control I require.

     

    The actual requirement is to control the access of the devices authenticated using certificates (iPads). I am unable to upgrade to ArubaOS V6 as there are too many 800 controllers in the network.

     

    Are there any other methods that could be used to achieve the desired result.

     

    Regards,

    Nigel


    There is one other option:  EAP-GTC.  Here is how you would do it:

     

    1.  Setup an LDAP server on the controller that connects to the same radius server, but using LDAP.  Test the server using AAA test server on the diagnostics tab on the controller, to make sure it works.

    2.  Run the WLAN/LAN Wizard the way you normally would to create a wireless network, using the encryption you want, but choose "Select From Known Servers".  Choose the LDAP server you just created and tested.  You should see a message that says "EAP-type eap-peap/eap-gtc has been selected. To change the EAP-Type please use the advanced UI".  Click on OK to continue setting it up until you are finished.

     

    You would be left with a different WLAN that does EAP-PEAP but with a GTC inner-EAP type.  You can remove the PEAP/mschap portion of the remote access policy on the radius server and then it will not allow PEAP devices on your first WLAN.

     

     

     



  • 11.  RE: Restricting Authentication Type on SSID
    Best Answer

    Posted Jan 10, 2012 06:11 AM

    Thanks for your help.

     

    I have gone for the two Radius Servers option.

     

    • One is existing within the Domain and only allows PEAP.
    • A new IAS Server has been added to the PKI and only allows Certificate Auth.

    Testing shows this has the desired effect Laptops in the Domain can not authenticate on the "CERT" SSID and the iPads can not authenticate with the "USER" SSID. The two device types get appropriate User Role upon successful authentication.

     

    This has an added benefit in that Domain and PKI management is carried out by different groups, therefore the support boundaries remain clear.

     

    Regards,

    Nigel



  • 12.  RE: Restricting Authentication Type on SSID

    Posted Jan 11, 2012 07:13 PM

    Late to the game, but you could also utilize NAS-ID/NAS-IP fields in your RADIUS policy to use two different RADIUS auth policies on the same server. For me on my home lab RADIUS server, I use a NAS-ID of PEAP on my PEAP auth policy, and use NAS-ID of TLS on my TLS policy all on the same RADIUS server. This way, when a client authenticates to your PEAP SSID, the RADIUS auth request puts the NAS-ID field of PEAP in the request, and it will ONLY match on the RADIUS policy. You then configure the matching NAS-ID in the RADIUS server setup.



  • 13.  RE: Restricting Authentication Type on SSID

    Posted Jul 30, 2012 01:14 PM

    Hi guys,

     

    Later yet... I've been trying to configure both types of authentition (PEAP and TLS), but neither is working yet. I issue the AAA test server with an user and it's successful, but the client doesnt join to the network, I dont have termination enabled in my dot1x profile and the conditions in the remote policies are the same as Howard posted (for PEAP), may you please post the screenshot  of the remote policy config and the client config, I'm really confused because all seems to be ok, I've read a lot of posts but I cant achieve this. 

     

    Thanks in advance.

     

    César



  • 14.  RE: Restricting Authentication Type on SSID

    Posted Jul 30, 2012 01:36 PM

    Please get EAP-PEAP working first and then layer in TLS when you have that working.  Have you seen the Microsoft Guides on the IAS and NPS server in the forums?

     



  • 15.  RE: Restricting Authentication Type on SSID

    Posted Jul 30, 2012 05:43 PM

    Im following your advise Colin, but the EAP-PEAP Auth is not working either, Im attaching the NPS configuration and the logs from "show log security" when I try to authenticate with an user. Please let me know what Im doing wrong to move forward to TLS authentication. Thanks in advance.

     

    César

    Attachment(s)

    txt
    Show log security.txt   1K 1 version