Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

802.1x and IOS

This thread has been viewed 5 times

  • 1.  802.1x and IOS

    Posted Apr 03, 2013 05:45 AM

    Hello,

    We are having trouble connecting ipad/iphone to our WPA2-enterprise network.

    I have enabled the "Termination" on the WLAN security tab.
    I also have enabled the "Dynamic Radius Proxy".

    It's working fine with windows computers.

    When I try to connect with iOS, this is what appear in the Security Log of my domain controller:
    "The user attempted to use an authentication method that is not enabled on the matching network policy."

    Authentication Type: PAP

     

    I don't feel comfortable activating PAP on my domain... 

    I have seen the withepaper on "Ipad & Enterprise", and I do not want to install  the Apple Iphone Configuration Utility and push this to the ipad/iphone. (which has to be done for  WPA2-AES EAP-TLS to Terminate on an Aruba Controller).

    On the exmple, for WPA AES or TKIP, WPA2 AES or TKIP with PEAP-MSCHAPv2 it should work just fine.

    Do you have an idea ?

    Many thanks



  • 2.  RE: 802.1x and IOS

    Posted Apr 09, 2013 01:19 AM

    Is this an Aruba instant or an Aruba controller network?



  • 3.  RE: 802.1x and IOS

    Posted Apr 09, 2013 08:19 AM

    We use wpa2-enterprise with 802.1x for both windows and macintosh/iphone/ipad devices without too many issues. Perhaps you can provide additional information on your setup and configuration.



  • 4.  RE: 802.1x and IOS

    Posted Apr 09, 2013 08:26 AM

    We are using Instant AP without controller, maybe it's due to a wrong configuration of the NPS in the windows 2008 server.
    What kind of additional information would you need ?



  • 5.  RE: 802.1x and IOS

    Posted Apr 10, 2013 12:25 AM

    i only enable terminaton when using an LDAP server or similar RADIUS server that does not support EAP. if you can support EAP disable termination and it should work with istuff.



  • 6.  RE: 802.1x and IOS

    Posted Apr 11, 2013 05:12 AM

    Well, when I try to disable the termination, I could not connect even with my windows computers.

    In my Security Logs, I have this message: "Error occured during the use of EAP".

    I also do not understand why I cannot use mschap if I disable the termination ? 



  • 7.  RE: 802.1x and IOS
    Best Answer

    EMPLOYEE
    Posted Apr 11, 2013 10:47 AM

    Using termination means that the IAP will host a radius certificate within the IAP.  With termination off, that means your NPS server needs a valid server certificate.

     

    Please look at the article here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113 for how to correctly configure NPS...

     



  • 8.  RE: 802.1x and IOS
    Best Answer

    Posted Apr 16, 2013 05:00 PM

    Excl,

     

    We had the same problem in our environment as well and submitted a ticket to Aruba TAC. 

    Essentially, they have confirmed that this because on the i-AP you cannot specify the encyption to use, whereas with the physical controller you can.

    Verbatim from Aruba Support, the work around for now at least is:

    We tried to replicate this issue in our lab. We also faced the same issue. That only IPhones are connected using the PAP when the termination is enabled in the IAP. As a workaround we tried the below.

     

    • Disabled the termination in the IAP. Which means the termination is enabled in the radius server.
    • We should have the proper certificate installed in the server for this to work properly.
    • In the NPS rule we enabled the MsCHAPv2 with PEAP.
    • PAP not enabled in the Rule.
    • This time the IPHONE and all other client connects fine and authenticated using PEAP-MsCHAPv2.

     

    Please let me know if this is suitable for your deployment. If not we need to contact engineering to proceed further with this issue. Because in our lab also its confirmed that only IPHONES are not authenticating using the MSCHAPV2 when the termination is enabled in the IAP.

     


    Placing the certificate on the RADIUS server did in fact do the trick, it would have been nice however to have the functionality there to begin with.

    Hope this helps.



  • 9.  RE: 802.1x and IOS

    Posted Apr 17, 2013 03:52 AM

    Yes you are right,

    Good to know that in the IAP you cannot choose the encryption.
    I resolved the issue by disabling the Termination mode, it now works perfectly with IOS & Windows users.

    Again, thanks :)



  • 10.  RE: 802.1x and IOS

    Posted Aug 13, 2014 02:59 PM

    I know this is a little late, but I've come across the same issue, sort of and I thought I would add this comment.

     

    The iDevices will authenticate using MS-CHAP if, as wireless clients, they're sitting on the same VLAN and Subnet as our radius and dhcp server (essentially our main network). As soon as we try it in a different subnet and vlan using some other DHCP server we see the following:

     

    1) with termination on - they use PAP

    2) with termination off - they use EAP

     

    Of course, we only want to use MS-CHAP, but don't want them on the same VLAN or subnet. I'm not familiar with how all of this traffic flows around when authenticating, so maybe that's by design. But if anyone has any further insight, I'm a good listener (reader).

     

    I'm in the same situation with the i-APs (ie. no controllers).

     

    Thanks to all!

     

     

     



  • 11.  RE: 802.1x and IOS

    Posted Aug 13, 2014 04:36 PM

    You know... as soon as I clicked POST, I thought maybe I should check my firmware... all issues gone. Works great.

     

    Go figure. sigh.