Wireless Access

 View Only

  • 1.  UK Govwifi configuration

    Posted Mar 09, 2022 07:33 AM
    Hi All,

    I am attempting to configure an SSID for GovWifi. I have completed the controller configuration but I get an radius access-reject when trying to connect. I am using the correct credentials, configured for the GovWifi Radius and see the traffic go out to the Radius.

    Has anyone configured GovWifi that can help isolate the issue. Think it is the logon role that is pushed but not 100% sure.

    Regards

    Adrian

    ------------------------------
    Adrian Jones
    ------------------------------


  • 2.  RE: UK Govwifi configuration

    Posted Mar 10, 2022 06:32 AM
    Where do you see the RADIUS Access Reject? There's a few components that need to be correct (on the WLAN, MC and FW/NAT devices).  Have you complete the 'aaa test server' command to confirm that the communication between the authenticator and authentication server is working as expected? Are any upsteam NAT devices configured to present the correct src-ip to the external auth server? Is the controller presenting the username in the correct format?

    Use AAA Test Server to verify connectivity : https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/auth-servers/test-conf-auth-serv.htm?Highlight=aaa%20test

    Use show auth-tracebuf to reviewed the communication between the client and RADIUS Auth


    ------------------------------
    Craig Syme
    ------------------------------

    Original Message


  • 3.  RE: UK Govwifi configuration

    Posted Mar 10, 2022 10:50 AM

    Hi Craig,

     

    I was looking at a packet capture on the firewall between the controller and internet. It is source NATting the address. By the looks of it the device MAC address is substituting the input username for the username and this looks like the area it is failing. Just need to find where I can correct this and hopefully we will be connecting.

     

    Regards

     

    Adrian Jones

    Security Engineer


    M: 07773 480 470
    a.jones@mlltelecom.com

    www.mlltelecom.com

     

    MLL Telecom Ltd, Jubilee House, Third Avenue, Globe Park, Marlow SL7 1EY

     

    MLL Telecom Limited is a Company registered in England & Wales with registration number 02657917. The Registered Office of MLL Telecom Limited is Jubilee House, Third Avenue, Marlow, SL7 1EY. This email and any attachments may contain confidential information and are intended for the addressee only. If you are not the addressee, any disclosure, reproduction or transmission of this email is strictly prohibited and you must not take any action in reliance upon it. If you have received this in error, please contact the sender and delete the material immediately. Any views expressed in this message are those of the individual sender, and do not necessarily reflect the views of MLL Telecom Ltd. Nothing in this email shall bind MLL Telecom Ltd. in any contract or obligation nor should this email be treated as or taken to represent any intention to enter into legal relations on the part of MLL Telecom Ltd.



    Original Message


  • 4.  RE: UK Govwifi configuration

    Posted Mar 10, 2022 11:30 AM
    Edited by Craig Syme Mar 10, 2022 11:35 AM
    Hey Adrian, do have MAC Auth configured on the AAA Profile? Feel free to post your config for review :)

    Also if you run the 'show auth-tracebuf' command, this will show you the username being sent to the RADIUS server.

    ------------------------------
    Craig Syme
    ------------------------------

    Original Message


  • 5.  RE: UK Govwifi configuration

    Posted Mar 10, 2022 11:46 AM

    Thanks Craig. Was generating a post. I resolved the Mac username issue by setting MAC Authentication to None in the AAA Profile.

     

    Connects quickly but currently no internet. I will check the rules tomorrow when I can get someone to test for me. I see DNS requests on the firewall but test user reported it stating requesting sign in to GovWifi, Web authentication disabled and contact admin for assistance.

     

    Regards

     

     

     

    Adrian Jones

    Security Engineer


    M: 07773 480 470
    a.jones@mlltelecom.com

    www.mlltelecom.com

     

    MLL Telecom Ltd, Jubilee House, Third Avenue, Globe Park, Marlow SL7 1EY

     

    MLL Telecom Limited is a Company registered in England & Wales with registration number 02657917. The Registered Office of MLL Telecom Limited is Jubilee House, Third Avenue, Marlow, SL7 1EY. This email and any attachments may contain confidential information and are intended for the addressee only. If you are not the addressee, any disclosure, reproduction or transmission of this email is strictly prohibited and you must not take any action in reliance upon it. If you have received this in error, please contact the sender and delete the material immediately. Any views expressed in this message are those of the individual sender, and do not necessarily reflect the views of MLL Telecom Ltd. Nothing in this email shall bind MLL Telecom Ltd. in any contract or obligation nor should this email be treated as or taken to represent any intention to enter into legal relations on the part of MLL Telecom Ltd.



    Original Message


  • 6.  RE: UK Govwifi configuration

    Posted Mar 10, 2022 11:52 AM
    Thats good, it sounds like your AAA Profile needs a little work. It does sound like you have the 'logon' User Role defined (which contains Captive Portal re-direct but no Captive Portal defined) which would generate the error you are seeing. Try amending your 802.1X Authentication Default Role to be something other then the 'logon' User Role. As a good test the 'authenticated' User Role is a good start.

    ------------------------------
    Craig Syme
    ------------------------------

    Original Message


Related Content