Wireless Access

 View Only
  • 1.  802.1x implementation

    Posted Jan 10, 2024 11:04 AM

    Greetings,

    We are currently trying to implement 802.1x authentication with Windows Active Directory. On AD server, we already install Windows NPS and set it up, create Certificate and stuff. But when we try to connect to SSID designated with 802.1x; couldn't get IP address.

    Kindly need your suggestion/direction.

    Our environments are:

    1. Aruba 7010 standalone wireless controller
    2. 16 units of Aruba 305 Access Point
    3. DHCP server is configured on core switch.
    4. Windows Server 2019 with AD & NPS roles

    Best Regards,

    Bram



  • 2.  RE: 802.1x implementation

    Posted Jan 10, 2024 05:07 PM

    is the EAP-TLS authentication successful?

    after a successful authentication, in the client in the correct VLAN that has DHCP scope?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: 802.1x implementation

    Posted Jan 10, 2024 11:15 PM

    Dear Ariyap,

    Thank you for your response.

    I would like to informed that i got "authentication failed" result when test AAA server from Aruba controller.

    May i know what make it successful? Whether it is related with some variables between Aruba controller & Windows NPS?

    Below is my configuration

    interface gigabitethernet 0/0/14
        description "GE0/0/14"
        trusted
        trusted vlan 1048,1050,1052,1056
        no poe
        lacp group 0 mode active
        lldp transmit
        lldp receive
    !
    
    interface gigabitethernet 0/0/15
        description "GE0/0/15"
        trusted
        trusted vlan 1048,1050,1052,1056
        no poe
        lacp group 0 mode active
        lldp transmit
        lldp receive
    !
    interface port-channel 0
        description "LACP-to-ACC-SW"
        trusted
        trusted vlan 1048,1050,1052,1056,1058
        switchport mode trunk
        switchport trunk allowed vlan 1048,1050,1052,1056,1058
    !
    aaa authentication dot1x "TEST-AUTH_dot1_aut"
    !
    aaa authentication-server radius "NPS-RADIUS"
        host "ip_address"
        key f6c0b6dda66983d6cc30988ff2d520c57ab0f95565411f66
    !
    aaa server-group "TEST-AUTH_dot1_svg"
     auth-server NPS-RADIUS position 1
    !
    aaa profile "TEST-AUTH_aaa_prof"
        initial-role "authenticated"
        authentication-dot1x "TEST-AUTH_dot1_aut"
        dot1x-server-group "TEST-AUTH_dot1_svg"
    !
    wlan ssid-profile "TEST-AUTH_ssid_prof"
        essid "TEST-AUTH"
        opmode wpa2-aes
    !
    wlan virtual-ap "TEST-AUTH"
        aaa-profile "TEST-AUTH_aaa_prof"
        vlan 1058
        forward-mode bridge
        ssid-profile "TEST-AUTH_ssid_prof"
    !
    



  • 4.  RE: 802.1x implementation

    Posted Jan 11, 2024 01:23 AM

    the test aaa server uses PAP and not really used for testing users.

    Anyway, forwarding mode generally should be tunnel not bridge.

    you can refer to this guide even though it uses ClearPass as the authentication server, it gives yo a good idea of the controller configuration.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: 802.1x implementation

    Posted Jan 12, 2024 07:08 AM

    Dear ariyap,

    sorry for late respond.

    Thank you for the guide. I'll learn it.



    ------------------------------
    Best Regards,

    Bram
    ------------------------------