Wireless Access

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------

Make sure you don't have EAP termination enabled:  https://www.arubanetworks.com/techdocs/Instant_871_WebHelp/Content/instant-ug/authentication/supp-eap-aut-fra.htm

Termination uses the certificate on the AP and NOT the one on the NPS server...you don't want that..

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 18, 2021 03:34 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------

Hello,

I thank you for the doc.
Thank you for the answer
After thinking about it, I came to this conclusion too, I used this tuto: https://www.youtube.com/watch?v=3Mg8p6rOLhA

this works but, I still have problems when I deploy the certificate and the automatic connection by GPO on a Test station.

Before the connection, it asks, if you really want to connect to this location


If i uncheck MS-Chap and MS-Chap V2, no connexion is possible, havec you one idee ? 


------------------------------
lapillo kevin
------------------------------

Original Message:
Sent: Mar 18, 2021 03:34 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------

In order to prevent pop-ups, you will need to push your WLAN/wired profile as well through GPO to configure the supplicant with the RADIUS server certificate name and which root CA to trust. There is no method for a client otherwise to validate that it is connecting to a valid network.

Please be advised that using MSCHAPv2 (which is used in PEAP) is strongly deprecated as the security of that protocol is severely broken and unless you have 100% control over your clients and configure the supplicant through group policy to never trust other server certificates than your own, consider the user credentials to be freely available for an attacker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 19, 2021 02:41 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I thank you for the doc.
Thank you for the answer
After thinking about it, I came to this conclusion too, I used this tuto: https://www.youtube.com/watch?v=3Mg8p6rOLhA

this works but, I still have problems when I deploy the certificate and the automatic connection by GPO on a Test station.

Before the connection, it asks, if you really want to connect to this location


If i uncheck MS-Chap and MS-Chap V2, no connexion is possible, havec you one idee ? 


------------------------------
lapillo kevin

Original Message:
Sent: Mar 18, 2021 03:34 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------

I understand, thank you very much for all the information.

I absolutely did not know that MSCHAPv2 had become obsolete, do you have anything to advise me, in order to overcome this lack of security?

I want to set up a secure solution for Wifi type radius.

Thank you for your help.

------------------------------
lapillo kevin
------------------------------

Original Message:
Sent: Mar 19, 2021 04:14 AM
From: Herman Robers
Subject: NPS and AP 515

In order to prevent pop-ups, you will need to push your WLAN/wired profile as well through GPO to configure the supplicant with the RADIUS server certificate name and which root CA to trust. There is no method for a client otherwise to validate that it is connecting to a valid network.

Please be advised that using MSCHAPv2 (which is used in PEAP) is strongly deprecated as the security of that protocol is severely broken and unless you have 100% control over your clients and configure the supplicant through group policy to never trust other server certificates than your own, consider the user credentials to be freely available for an attacker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 19, 2021 02:41 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I thank you for the doc.
Thank you for the answer
After thinking about it, I came to this conclusion too, I used this tuto: https://www.youtube.com/watch?v=3Mg8p6rOLhA

this works but, I still have problems when I deploy the certificate and the automatic connection by GPO on a Test station.

Before the connection, it asks, if you really want to connect to this location


If i uncheck MS-Chap and MS-Chap V2, no connexion is possible, havec you one idee ? 


------------------------------
lapillo kevin

Original Message:
Sent: Mar 18, 2021 03:34 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------

The only secure EAP authentication methods at the moment are the ones that are Client-certificate based. If you are on the Microsoft platform and can use group policies, using the MS CA to enroll computer certificates and after that, use EAP-TLS through group policies is probably the best option.

It may be good to reach out to your (Aruba) partner to find the optimal solution.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 19, 2021 05:13 AM
From: lapillo kevin
Subject: NPS and AP 515

I understand, thank you very much for all the information.

I absolutely did not know that MSCHAPv2 had become obsolete, do you have anything to advise me, in order to overcome this lack of security?

I want to set up a secure solution for Wifi type radius.

Thank you for your help.

------------------------------
lapillo kevin

Original Message:
Sent: Mar 19, 2021 04:14 AM
From: Herman Robers
Subject: NPS and AP 515

In order to prevent pop-ups, you will need to push your WLAN/wired profile as well through GPO to configure the supplicant with the RADIUS server certificate name and which root CA to trust. There is no method for a client otherwise to validate that it is connecting to a valid network.

Please be advised that using MSCHAPv2 (which is used in PEAP) is strongly deprecated as the security of that protocol is severely broken and unless you have 100% control over your clients and configure the supplicant through group policy to never trust other server certificates than your own, consider the user credentials to be freely available for an attacker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 19, 2021 02:41 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I thank you for the doc.
Thank you for the answer
After thinking about it, I came to this conclusion too, I used this tuto: https://www.youtube.com/watch?v=3Mg8p6rOLhA

this works but, I still have problems when I deploy the certificate and the automatic connection by GPO on a Test station.

Before the connection, it asks, if you really want to connect to this location


If i uncheck MS-Chap and MS-Chap V2, no connexion is possible, havec you one idee ? 


------------------------------
lapillo kevin

Original Message:
Sent: Mar 18, 2021 03:34 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------

Hello,

I thank you for your help and information.
I will find out more about this method.
thank you again

note: if you have links to recommended documentation, I'm interested

------------------------------
lapillo kevin
------------------------------

Original Message:
Sent: Mar 19, 2021 05:49 AM
From: Herman Robers
Subject: NPS and AP 515

The only secure EAP authentication methods at the moment are the ones that are Client-certificate based. If you are on the Microsoft platform and can use group policies, using the MS CA to enroll computer certificates and after that, use EAP-TLS through group policies is probably the best option.

It may be good to reach out to your (Aruba) partner to find the optimal solution.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 19, 2021 05:13 AM
From: lapillo kevin
Subject: NPS and AP 515

I understand, thank you very much for all the information.

I absolutely did not know that MSCHAPv2 had become obsolete, do you have anything to advise me, in order to overcome this lack of security?

I want to set up a secure solution for Wifi type radius.

Thank you for your help.

------------------------------
lapillo kevin

Original Message:
Sent: Mar 19, 2021 04:14 AM
From: Herman Robers
Subject: NPS and AP 515

In order to prevent pop-ups, you will need to push your WLAN/wired profile as well through GPO to configure the supplicant with the RADIUS server certificate name and which root CA to trust. There is no method for a client otherwise to validate that it is connecting to a valid network.

Please be advised that using MSCHAPv2 (which is used in PEAP) is strongly deprecated as the security of that protocol is severely broken and unless you have 100% control over your clients and configure the supplicant through group policy to never trust other server certificates than your own, consider the user credentials to be freely available for an attacker.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 19, 2021 02:41 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I thank you for the doc.
Thank you for the answer
After thinking about it, I came to this conclusion too, I used this tuto: https://www.youtube.com/watch?v=3Mg8p6rOLhA

this works but, I still have problems when I deploy the certificate and the automatic connection by GPO on a Test station.

Before the connection, it asks, if you really want to connect to this location


If i uncheck MS-Chap and MS-Chap V2, no connexion is possible, havec you one idee ? 


------------------------------
lapillo kevin

Original Message:
Sent: Mar 18, 2021 03:34 AM
From: lapillo kevin
Subject: NPS and AP 515

Hello,

I'm a little bit lost with the radius and the aruba AP. I would like to set up a Radius PEAP with a Windows radius and AP 515

I have AP 515 with which we use the virtual controller.
The CA is on a server and the radius on a second server
The certificate for the NPS server was obtained by asking the CA

The NPS server is a windows server as follows:




The only parameters in the AP :

When connecting I get this error message, untrusted certificate error: 




What I don't understand is that in the details of the windows logs, we see the fingerprint of the Aruba certificate:





However, on the workstation in question, the certificate used for the NPS is imported into the CA:




I thank you for any help you can give me



------------------------------
lapillo kevin
------------------------------