Wireless Access

 View Only
  • 1.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 22, 2023 04:37 AM

    Hi Techs, 

    i have a scenario where i integrated the ssid with authentication using radius for LDAP users. I the integration works fine and AD credentials work and staff is able to authenticate and access internet. However when trying to access things like share folders on windows server and RDP to servers it doesnt work. I am hoping for a solution and insights. This will be appreciated. 

    David



  • 2.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 22, 2023 10:02 AM

    This sounds either like a DNS problem (your SSID has DNS that performs external name resolution only, or the domain suffix list returned by DHCP does not include your internal domain), or the role assigned to the device on the SSID is blocking access to Kerberos or just to internal IP's generally.




  • 3.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 25, 2023 11:28 AM

    Initially, there are a lot of questions which arise from your description.

    1. What sort of DNS are you pushing to your users? Can that DNS resolve the Hostnames of the Servers you are trying to access?
    2. Are you using Hostnames or IP Address to connect to the RDP or Folders? Whichever you are using try both: Initially with IP Address and then with Hostname.
    3. Are you using different subnets for Wireless users and Servers? If yes (and i guess you do) check if they are routable
    4. Are you having a Firewall sitting in front of your Servers? If yes, check if the ports and the subnet of your wireless infrastructure is whitelisted/allowed to access the Servers using specific ports.
    5. etc.


    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------



  • 4.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 26, 2023 09:10 AM
    Hi, just to expound more, 
    We have another controller running an older firmware version , all the configs are done there. Ldap users authenticating using the same radius server and accessing network using the AD credentials. They can access the network resources. We upgraded the current controller that is having issues to 8.10 LSR. Both are using similar network, similar DNS, same radius server. etc so the networks are and environments are similar. Radius server is the same , dns we have primary and secondary both coinfigured on the MC 7030



  • 5.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 26, 2023 10:02 AM

    Quick question, are the network resources they are trying to reach on the same subnet as the clients, and if so, is intra-VLAN traffic permitted on the SSID?  I'm thinking there is a new knob in the firmware somewhere that isn't set properly.

     

     

    Daniel Waites

    Post-Sales Engineer

    Sabyr Consulting

    www.sabyr.com

    (409) 454-7250 - cell

     






  • 6.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 26, 2023 10:07 AM

    Where can i check on the intra vlan traffic? on the SSID? 




  • 7.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 26, 2023 10:13 AM

    Also the SSID is on tunnel mode. Should that be correct since we are doing 802.1x authentication. 




  • 8.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 26, 2023 10:28 AM

    On Central/IAP, they call it Deny Intra-VLAN and it is per-SSID, but on AOS8 I think they call it Deny Inter User Bridging / Deny Inter User Traffic and it's in the global firewall settings.

     

     

    Daniel Waites

    Post-Sales Engineer

    Sabyr Consulting

    www.sabyr.com

    (409) 454-7250 - cell

     






  • 9.  RE: SSID ON RADIUS AUTH WITH LDAP USERS DENYING RDP AND OTHER SERVICES

    Posted Sep 26, 2023 10:41 AM

    Regarding the tunnel mode question, I guess it would depend on your particular situation.  For orgs that are large or fragmented and do not have good control over the layer 2 infrastructure (or the layer2 infrastructure has an inconsistent design), tunneled mode is much easier as the you only need to know the IP of the tunnel server node for RADIUS configuration and VLANs on the tunnel server node for SSID configuration.  You can then extend the layer2 over GRE to the AP no matter the crazy underlay where the AP actually is.  For orgs with good control over layer 2 and a consistent design across the campus the decision might be a bit murkier; there are arguments either way.

     

     

    Daniel Waites

    Post-Sales Engineer

    Sabyr Consulting

    www.sabyr.com

    (409) 454-7250 - cell