Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Sync Wi-Fi authentication with Active Directory

This thread has been viewed 48 times
  • 1.  Sync Wi-Fi authentication with Active Directory

    Posted Jan 31, 2023 10:48 AM
    Dears

    I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

    I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

    Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

    Regards


  • 2.  RE: Sync Wi-Fi authentication with Active Directory

    EMPLOYEE
    Posted Jan 31, 2023 11:08 AM
    That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

    I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

    For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Sync Wi-Fi authentication with Active Directory

    Posted Feb 01, 2023 01:59 AM
    Dear Sir

    Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

    What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

    Would you please get me more into this? Thanks.


    Regards


  • 4.  RE: Sync Wi-Fi authentication with Active Directory

    MVP
    Posted Feb 02, 2023 10:13 AM
    A BIG caution here.

    To use AD user authentication, many people use WPA2-Enterprise security with EAP-PEAP-MSCHAPv2.

    i understand from our Windows support team that they will be unable to upgrade to version 22H2until we move AWAY fro PEAP-MSCHAPv2 due to new Windows Credential Guard restrictions. EAP-TLS with certificates assigned to users is the preferred, more secure path. You can use AD credentials as a basis for assigning user certificates though.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 5.  RE: Sync Wi-Fi authentication with Active Directory

    EMPLOYEE
    Posted Feb 06, 2023 04:36 AM
    The issue with using AD passwords is that it is terribly hard to configure a device to no authenticate to a 'rogue network'. Which means that, unless you 100% control your client devices, you should consider the username and password-credential being leaked, and if someone has an AD username and password, that allows in many cases a good start to login to computers, webmail, VPN, etc. Here is an old video that explains it a bit more in technical detail.

    Because of this, people now also have issues when users upgrade their Windows version, that authentication suddenly fails (response by bosborne) and there is a strong recommendation to move away from username/password for WiFi and VPN by Microsoft. Bottom-line, it's easier to deploy EAP-TLS with client certificates than you can securely deploy EAP-PEAP.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Sync Wi-Fi authentication with Active Directory

    Posted Feb 06, 2023 04:55 AM
    Wi-Fi password also can be leaked as same as AD username and password, and please note that I have MAC authentication so nobody can join my network from outside the list of allowed MAC addresses.


  • 7.  RE: Sync Wi-Fi authentication with Active Directory

    EMPLOYEE
    Posted Feb 06, 2023 09:25 AM
    I just want to warn... the difference between leaking a WPA-PSK password and leaking AD credentials through EAP-PEAP is that with the WPA-PSK password there typically is no other access with the same password, and that the password is leaked through people. With EAP-PEAP-MSCHAPv2, a client device that is near a potential hostile AP will happily provide the credentials without the user being asked once the client sees the 'spoofed' SSID (or if they are asked, most will accept) and if those credentials are AD credentials, they may be used to crack the password and/or sign in to computers, VPNs, Webmail, unless there are other safeguards. And if an attacker captured the credentials, they have the client MAC address as well and MAC addresses are really simple to spoof. It's just something I would not want to take the risk, and I can't think of a security officer signing this off if you explain the risks. But, it's your (organization's) decision in the end.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Sync Wi-Fi authentication with Active Directory

    MVP
    Posted Feb 06, 2023 01:51 PM
    If by Wi-Fi password you mean WPA2-Personal pre-shared key, it is not considered secure for enterprise use anyway. That us why WPA2-Enterprise & WPA3-Enterprise exist for enterprise use.

    WPA2-Personal has lower security suitable only for home use because it does not need the enterprise infrastructure required by the Enterprise encryptions.

    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------