Controllerless Networks

Hi all,

 

is there a guide to create and configure an Enterprise SSID with Internal RADIUS Server?

I'm trying to do this, but my network doesn't work. I create the SSID with "Security=Enterprise Key" and "Management=WPA-2 Entrprise" and I create and upload a cetificate (type Auth Server) .cer on the IAP. I also create a user on the IAP's internal database.

When I try to connect with my Windows 7 laptop to this SSID, I see the request for username and password and I insert the credentials of user created in the IAP but I don't have access to the SSID!

In the show log security of IAP i see these messages:

 

Jan  1 00:49:26  stm[1118]: <132207> <ERRS> |AP 24:de:c6:c0:b3:05@192.168.123.101 stm|  RADIUS reject for station cert <my mac-addr> from server InternalServer.
Jan  1 00:49:26  stm[1118]: <132053> <ERRS> |AP 24:de:c6:c0:b3:05@192.168.123.101 stm|  Dropping the radius packet for Station <my mac-addr> 24:de:c6:8b:30:53 doing 802.1x

 

Some suggestions for me?

 

Thanks,

Massimo

 

 

 

Do you have Termination enabled? You will need to for it to use the cert on the IAP. It is under the security tab on the SSID.

 

For a test (just a test, don't go production this way) turn off validate cert on your client. If it works then you know it is a problem with your client trusting the cert. 

 

Gary

Actually termination does not have to be enabled.  Did you create the username and password in IAP using the "employee" type?  Can you share your full config for us to take a look?

 

Also, which EAP method is the client using  Is it just PEAP-MSCHAPv2?

I don't think I need to enable Termination because otherwise I can not select the internal radius server.

I try also to turn off validate cert on my client, but I have the same error.

 

The user is an "employee" type and the EAP method the client using is PEAP-MSCHAPv2.

 

I attach an image with the screenshoot of "Client Alerts" inthe IAP's GUI.

 

Here is my IAP's config. The SSID is TEST-Enterprise.

 

--------------------------------------------------------------------------------------------------------------

version 6.3.1.0-4.0.0
virtual-controller-country IT
virtual-controller-key 7e6681b3018f8f34d09755379e973a6906f816ce4d64d18881
name Instant-C0:B3:05
virtual-controller-ip 192.168.123.100
syslog-server 192.168.123.223
syslog-level debug
terminal-access
clock timezone none 00 00
rf-band all

allowed-ap 24:de:c6:c0:b3:05


arm
 wide-bands 5ghz
 80mhz-support
 min-tx-power 18
 max-tx-power 127
 band-steering-mode prefer-5ghz
 air-time-fairness-mode fair-access
 client-aware
 scanning

ip dhcp pool
 subnet 192.168.66.0
 subnet-mask 255.255.255.0
 dns-server 151.99.125.1
 domain-name test.loc
 lease-time 120


syslog-level debug ap-debug
syslog-level debug network
syslog-level debug security
syslog-level debug system
syslog-level debug user
syslog-level debug user-debug
syslog-level debug wireless



user ospite b27c26076a6a0b395ff79e899bcf6291 portal

user enter 85c930dae1db120b7babd1d2d3433b3b radius
user massimo c2856773b0108956c05ab6e1e47ba5e4 radius
user cert 37ab7f6977332975ab528eb26a4341aa radius
user 12345678 e19ef2593cac2909ea1766ccca0f8e0047b6d1c89944972f radius

mgmt-user admin 9cd818133a651df13550766ccc43407f

wlan access-rule TEST-Guest
 index 0
 rule any any match any any any permit

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-instant
 index 2
 rule 192.168.123.101 255.255.255.255 match tcp 80 80 permit
 rule 192.168.123.101 255.255.255.255 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule TEST-Enterprise
 index 3
 rule any any match any any any permit

wlan ssid-profile TEST-Guest
 enable
 index 0
 type guest
 essid TEST-Guest
 opmode opensystem
 max-authentication-failures 0
 vlan guest
 auth-server InternalServer
 rf-band all
 captive-portal internal
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

wlan ssid-profile TEST-Enterprise
 enable
 index 1
 type employee
 essid TEST-Enterprise
 opmode wpa2-aes
 max-authentication-failures 0
 auth-server InternalServer
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 1000
 broadcast-filter none
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

auth-survivability cache-time-out 24



wlan captive-portal
 background-color 13421772
 banner-color 16750848
 banner-text "Welcome to Guest Network"
 terms-of-use "This network is not secure, and use is at your own risk"
 use-policy "Please read terms and conditions before using Guest Network"
 authenticated

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"
 auto-whitelist-disable
 https


blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
 wireless-containment none

ip dhcp Pool1
 server-type Local
 server-vlan 1
 subnet 192.168.123.0
 subnet-mask 255.255.255.0
 lease-time 7200
 dns-server 151.99.125.1
 domain-name test.loc




wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint

--------------------------------------------------------------------------------------------------------------

 

I note also that if I reboot my IAP the certificate uploaded previously is lost.

 

Can you also share with us the cert file you uploaded to the IAP?

I use a certificate created with OpenSSL; this is a test.

 

----------------------------------------------------------------------------------------------------------------------------------------

-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIJAIUlpXbtHMKAMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAklUMRAwDgYDVQQIDAdUcmV2aXNvMRAwDgYDVQQHDAdUcmV2aXNvMQ4wDAYD
VQQKDAVYWFhYWDEMMAoGA1UECwwDWFhYMRAwDgYDVQQDDAdDQS1URVNUMB4XDTE0
MDEwOTE3MDAxMFoXDTE2MTAwNjE3MDAxMFowYTELMAkGA1UEBhMCSVQxEDAOBgNV
BAgMB1RyZXZpc28xEDAOBgNVBAcMB1RyZXZpc28xDjAMBgNVBAoMBVhYWFhYMQww
CgYDVQQLDANYWFgxEDAOBgNVBAMMB0NBLVRFU1QwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDD5ZheWYOh/NqmJj6hn9fHYDL+JR9uh/Ozy0cGYgH1cGbz
+PquQT7kE3f0LVufsH0gG02B9bWPx3LztaKp+Z4rMlHGgABzpC/IEt0E40lewFpm
TG0OF02Hc1HWtsWIJrOhwaIY6md3GWU4OrexmKS7anwDbBiCUf9ih/sCd3nAZQPo
NaogbO3MKPWNU42P5zzZ/QfUR76J7i/U1WfUwxC0afe8YiZxINr3j5qS/CammF6s
6rh02Hi4ltjZzlqv7H2IYORToVGcX0LazBqw9jMYd4wssIXfwiL+4KjxfM9HPyrj
3s7c3rclowqDyKxl6oVvCR/89xTb/5i+l2zU0B/PAgMBAAGjUDBOMB0GA1UdDgQW
BBTO5BsGulJHPiaRGfLRwS67HBWmWDAfBgNVHSMEGDAWgBTO5BsGulJHPiaRGfLR
wS67HBWmWDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCW7IVtLZnX
LDJOIrMrIVp1KUAEPfOHAq5gFsQgIBYC2p76oed07eeNteyBVTF21Z7scNgB195v
xz5hxW+l8iKH9gqYjRvT1qMTM+8rqR45/E1aPH2nFGGeCwprXf4Bx8tlvO+W9/wL
mpwcWzUWk+L6cKSSlVF4j9msSMmPy5sj0HW7TVPfrW0RovTeuAG+qJKxvxYim8Fj
j9gk+o9bkeqEmvcozQzPY3EUBdOupHOQCqXnrhsJ5EHC+DM7g+54yNcTn/ksHjkT
zj29eCAirBSACzDBc6guSA6s7ZPNFGrR6D3nELFZQvZi1CO6bDPpRgLmjHNkkWbN
AEeK+UMIRV+c
-----END CERTIFICATE-----

----------------------------------------------------------------------------------------------------------------------------------------

I try to use the Aruba default certificate for IAP (CA Geo Trust) and it works, so I suppose that the problem is with my certificate.

The settings for WLAN on my client is in the attachment.

Hi,

Does your private certificate include a private key? You need a X509 file with both cert and private key in order to do internal RADIUS.

Thanks,

Yan

Hi,

Thanks for your suggestions!

 

Yes, my certificate include a private key. The certificate that I import in the IAP is a .cer file.

 

Hi,

I believe the cert content that you pasted in your earlier post did not include the private key. Does the .cer file that you have include a section ?? PRIVATE KEY?? in addition to the section that you pasted? If so, is there a chance of sharing the full file? Of course if this gives you concern over privacy/security we completely understand and will try to proceed without it.

Thanks,

Yan