ArubaOS and Controllers

Occasional Contributor II

windows preauthentication with user authentication


Our classroom laptops are using windows 7 single sign on. They are attempting to logon to the SSID with user credentials. Our radius server is on our Admin domain. Users with Admin credentials can login at startup successfully by connecting to the SSID, but users with Instruction credentials (student access with restrictions) will not authenticate. Under the student role, the firewall policies are: basic-netservices,Allow-student_services,Deny-private_nets,allowall.

If I remove Deny-private_nets, Student authentication to the instruction domain is successful. My question is; Do I need to add the IP address for the instruction domain controller to the Allow-student_services? (this rule allows only certain private nets to be available to the students) also are there any specific ports that I would need to open up?

Any help on this would be greatly appreciated.
Guru Elite

Re: windows preauthentication with user authentication

It is a moving target to say the least. It is probably easier to block services like SSH and telnet that you do not want students to have access to, rather than subnets. If you block nothing, your security is the same as that on the wired network, and your students should be able to logon successfully.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Occasional Contributor II

Re: windows preauthentication with user authentication

that is what we were afraid of. We have to have the deny statement in place to restrict access to servers on the network. I am going to try to add the IP address for the instruction domain controller, into the allow student services and see if that is it.


windows preauthentication with user authentication

Another strategy, rather than trial and error ;) would be to issue the command "show user ip x.x.x.x" a few times while the device is logging in.

This command shows the exact traffic being generated by the device. You would look for lines ending with the "D" flag which means they are denied. That will then give you specifics on what destination Host and ports are required for the transaction. Run this procedure a few times and ensure it doesn't float around as Colin has cautioned it may well be somewhat of a moving target.

(ArubaHQ_Calgary) #show user ip

Datapath Session Table Entries

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ----- 6 5223 64370 0/0 0 96 45 tunnel 10 2dd 6 64370 5223 0/0 0 96 45 tunnel 10 2dd C

PS - in this example, my iPAD is talking on TCP (Prot = 6) port 5223 (standard for iOS devices) to a destination of (good ole Apple Corporate!). Notice there is no "D" Flag and thus it is permitted.
Occasional Contributor II

Re: windows preauthentication with user authentication

Thanks for the tip! We got it to work, by just allowing the ports required.
Search Airheads
Showing results for 
Search instead for 
Did you mean: