Wireless Access

last person joined: 4 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

What kind of authentication I should use?

  • 1.  What kind of authentication I should use?

    Posted Dec 02, 2011 07:37 AM

    Hi team, me again.

    My problem here is that,I need to configure the controller (Aruba 800) to permit the users login into the company domain without intervention of them.
    Is any way to perform this task with a minimal installation of extra soft in the users PC´s.
    I could install an LDAP server authentication but I installed the APT-GTC plugin to permit me use this kind of authentication.
    Reading the documentation I found that I can use a RADIUS server and install certificates in the controller and users' PC´s.

    A year ago a similar scheme was installed in the controller and the users, used WPA & TKIP for authentication (this is all the info I´ve got), but the old company erased all the configurations and we are using a password authentication scheme

    I need the users does not type their credentials and the controller should recongnize taht the users belongs to the domain.

    Sorry for my english, if you need to more info I will try to explain better!



  • 2.  RE: What kind of authentication I should use?

    Posted Dec 02, 2011 07:42 AM

    You need to move away from LDAP and the GTC plugin.  It is only for users who must use LDAP.  Computers that use Active Directory do not need to do that.

     

    The ArubaOS user guide in the back appendix says how to install both the server and client side on Windows to support radius.  Their method will allow domain machines to login without intervention.  If you have Windows 2003 server, check out the post here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M6112

     



  • 3.  RE: What kind of authentication I should use?

    Posted Dec 02, 2011 07:59 AM

    cjoseph

    thanks again for your help! I will check the info you've send me!

     

    Regards.



  • 4.  RE: What kind of authentication I should use?

    Posted Dec 02, 2011 09:11 AM

    I generally learn towards IAS or NPS in the  MS Server itself. It's a direct tie in to AD groups and windows supports EAP and MSChap natively. There is also a WZC (windows zero config) tool on our support site somewhere that can help with setting up the windows clients for 802.1x. LDAP is so limited and like you said, you need to load IGTC clients to use LDAP.



  • 5.  RE: What kind of authentication I should use?

    Posted Dec 06, 2011 03:00 PM

    Team, can I implement a RADIUS scheme over a windows 2008 server?

    I mean, the porceess to set up the services are the same?



  • 6.  RE: What kind of authentication I should use?

    Posted Dec 06, 2011 03:12 PM

    Absolutely. Yes. I believe in 2008 it is regarded as NPS, and is simply the Radius front end to Active Directory. We have a document somewhere that outlines the steps to set up NPS in Server 2008.



  • 7.  RE: What kind of authentication I should use?

    Posted Dec 06, 2011 03:14 PM

    search for this:

     

    Step-by-Step: How to Configure Microsoft NPS 2008 Radius Serverfrom Scratch

     

    and you'll find that document for setting up NPS 2008.

     



  • 8.  RE: What kind of authentication I should use?

    Posted Dec 06, 2011 05:04 PM

    Thanks very much team! I'm going to check that!

     



  • 9.  RE: What kind of authentication I should use?

    Posted Dec 19, 2011 08:39 AM

    Hi team..me again!

    Sorry for the delayed answer. I could install a RADIUS server on a Win 2003 server. I tested the connection to the RADIUS via

     

    Diagnostic ---> AAA Test Server

     

    and I could test it in a succesfull way (but only in PAP authentication method ¿is this ok?).

     

    I could not loggin myself to the wireless network. When I try to logging I can see a message in the wireless network list which says:

     

    Validating identity

    Security-enabled wireless network (WPA2)

     

    How can I trace the error? I think I have a missconfigured item or something that I do not perform but I dont know where.

     

     



  • 10.  RE: What kind of authentication I should use?

    Posted Dec 19, 2011 08:40 AM

    Your remote access policy on the IAS server needs to have MsCHAPv2 enabled, in addition to pap.

     

    After you do that, your AAA test server should work.  MsChapv2 is what clients use to connect and needs to be enabled in the remote access policy.



  • 11.  RE: What kind of authentication I should use?

    Posted Dec 19, 2011 09:17 AM

    cjoseph, the configuration in the IAS is already done.

     

    IAS config.JPG

     

    But I still can't loggin.

    also, From the Diagnostic ---> AAA Test Server, The test went wrong with MSCHAPv2 authentication method.

     



  • 12.  RE: What kind of authentication I should use?

    Posted Dec 19, 2011 09:18 AM

    Well, you need to look in the eventviewer on IAS in System and see why it is failing.  That will tell you exactly why things are not going right.

     



  • 13.  RE: What kind of authentication I should use?

    Posted Dec 19, 2011 03:36 PM


    cjoseph

    I can see this logs from 2003 event viewer server

     

    User jhon doe was denied access.
     Fully-Qualified-User-Name = ********************************************
     NAS-IP-Address = xx.xx.xx.xx
     NAS-Identifier = <not present>
     Called-Station-Identifier = 000B86524250
     Calling-Station-Identifier = 000000000000
     Client-Friendly-Name = arcorwac001
     Client-IP-Address = xx.xx.xx.xx

    NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = 0
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows
     Authentication-Server = <undetermined>
     Policy-Name = Aruba User
     Authentication-Type = MS-CHAPv2
     EAP-Type = <undetermined>
     Reason-Code = 66
     Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

     

    I do not understan if the error is in te 2003 server or in the client who wants to loggin



  • 14.  RE: What kind of authentication I should use?

    Posted Dec 19, 2011 10:41 PM

    Okay,  I would try unchecking "Validate Server Certificate" in the Client Configuration.



  • 15.  RE: What kind of authentication I should use?

    Posted Dec 20, 2011 07:21 AM

    Hi cjoseph, I tryed without "Validate Server Certificate" and still I can't connect. I tryed with different networks authentications and data encryption, WPA2-TKIP and WPA-TKIP (I thought at some point that was the problem) and still nothing. I think my problem is the RADIUS config. I can't perform the Diagnostic --- AAA Test Server with MSCHAPv2 authentication method in a succesfully way. Yesterday I could find some other messages from the Event Viewer:

     

    Could not retrieve the Remote Access Server's certificate due to the  following error: Cannot find object or property.

    Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user apex\crespima. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

     

    So I think I should aim to the RADIUS first.



  • 16.  RE: What kind of authentication I should use?

    Posted Dec 20, 2011 07:43 AM

    mcrespillo, did you follow the step-by-step guide for setting this up?  There is one on this website and another in the appendix in the user guide.  

     

    Also, only use WPA2-AES, because 802.11n cannot work with TKIP.

     

     



  • 17.  RE: What kind of authentication I should use?

    Posted Dec 20, 2011 07:55 AM

    well, I'm not the Domain Controllers sysadmin, I downloaded the info you gave me and I gave it to our sysadmin. I will talk to him nad will try to follow the steps one by one again and try to resolve de issue. Do you think the problem is there? also I followed the issue with our Aruba provider and as he could check, everything is ok in the Aruba side.

    About the 802.11n, we do not use this protocol, so its ok.

     



  • 18.  RE: What kind of authentication I should use?

    Posted Dec 20, 2011 03:23 PM

    cjoseph, I could resolve the RADIUS problem, now I can test in sucefully way the AAA test server with MSCHAPv2. My problem now is that I have this message in the Debug Process Log window:

     

    |authmgr| |aaa| RADIUS server APEXRadius-10.30.5.13-1812 timeout for client=00:1b:77:30:c0:77 auth method 802.1x

     

    why I have this message if I could connect successfully egainst the RADIUS in the controller?



  • 19.  RE: What kind of authentication I should use?

    Posted Dec 20, 2011 06:14 PM

    Once again, check the eventviewer to see if the radius server is even receiving the radius authentication request.

     



  • 20.  RE: What kind of authentication I should use?

    Posted Dec 21, 2011 06:49 AM

    From the event viewer I have this messages:

     

    Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user apex\crespima. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

     

    Could not retrieve the Remote Access Server's certificate due to the  following error: Cannot find object or property.

     

    Access request for user APEX\crespima was discarded.
     Fully-Qualified-User-Name = apex.local/AR/COR4/APEX/Admin/Marco Crespillo
     NAS-IP-Address = xx.yy.zz.qqq
     NAS-Identifier = xx.yy.zz.qqq
     Called-Station-Identifier = 000B86524250
     Calling-Station-Identifier = 001B7730C077
     Client-Friendly-Name = ArubaController800
     Client-IP-Address = zz.xx.vv.rrr
     NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = 1
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows
     Authentication-Server = <undetermined>
     Reason-Code = 23
     Reason = Unexpected error. Possible error in server or client configuration.

     

    this all 3 messagges repeats everytime I try to loggin.



  • 21.  RE: What kind of authentication I should use?

    Posted Dec 21, 2011 08:21 AM

    You should add PEAP to the Remote access policy on the radius server, even if you don't have a certificate.  Also make sure you have 802.1x termination on in the 802.1x profile on the controller.  Make sure your client is also configured with PEAP.



  • 22.  RE: What kind of authentication I should use?

    Posted Dec 21, 2011 10:21 AM

    GREAT!!!!! it is working now cjoseph!!!!!

    Thanks very much for your help. I just activate the 802.1x termination on the controller and started to works!

    Thanks again for your help!

     



  • 23.  RE: What kind of authentication I should use?

    Posted Dec 21, 2011 10:31 AM

    Glad we could finally get it to work!