Controllerless Networks

Reply
Highlighted
Occasional Contributor I

IAP-225 Radius Server OneLogin

Hi,

 

Does someone here has experience with setting an IAP-225 up with the external OneLogin radius server? For some reason I can't get it work. I read already this: https://onelogin.zendesk.com/hc/en-us/articles/202361670

 

And tried this: http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

 

If I try with my client locally via radtest I get accepted, but when I try via the IAP-225 I get always rejected. Also depending on the configuration with Termination Enabled I usually time out/reject by connecting to 127.0.0.1.

 

adius authenticate raw using server t_OneLoginRadiusServer

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_request.c:52] Add Request: id=6, srv=127.0.0.1, fd=18

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1695] Sending radius request to t_OneLoginRadiusServer:127.0.0.1:2630 id:6,len:209

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  User-Name: fabian

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-IP-Address: 127.0.0.1

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-Port-Id: 0

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-Identifier: nonasid

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  NAS-Port-Type: 19

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Calling-Station-Id: 34363bcce418

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Called-Station-Id: 40e3d6c56f52

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Service-Type: Login-User

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Framed-MTU: 1100

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  EAP-Message: \002\003

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  State: }\364\374\305}\344\351\006\300\342\270\225\2659\371\315

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Aruba-Essid-Name: Test 5G

 

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Aruba-AP-Group: instant-C5:6F:52

Jan  9 23:26:01  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_server.c:1705]  Message-Auth: \016X\341Z1\257*\231\265\347\366.\367\232N\202

Jan  9 23:26:02  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_request.c:76] Find Request: id=6, srv=127.0.0.1, fd=18

Jan  9 23:26:02  stm[2475]: <121031> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm| |aaa| [rc_request.c:82]  Current entry: srv=127.0.0.1, fd=18

Jan  9 23:26:02  stm[2475]: <121050> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  in rc_aal.c(server_cbh),auth result = 1, with user name = fabian

Jan  9 23:26:02  stm[2475]: <121050> <DBUG> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  ACESS_ACCEPT or ACCESS_REJECT message received

Jan  9 23:26:02  stm[2475]: <132207> <ERRS> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  RADIUS reject for station fabian 34:36:3b:cc:e4:18 from server t_OneLoginRadiusServer.

Jan  9 23:26:02  stm[2475]: <132053> <ERRS> |AP 40:e3:d6:c5:6f:52@10.0.9.3 stm|  Dropping the radius packet for Station 34:36:3b:cc:e4:18 40:e3:d6:d6:f5:30 doing 802.1x

 

Also any idea how I can configure with 2FA with the Google Authenticator OTP device?

 

Best,

Fabian

 

 

 


Accepted Solutions
Highlighted
Occasional Contributor I

Re: IAP-225 Radius Server OneLogin

Looks like AIs support only PEAP-GTC and PEAP-MSCHAPv2

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

But onelogin supports only PAP or EAP-TTLS/PAP

View solution in original post


All Replies
Highlighted
Occasional Contributor I

Re: IAP-225 Radius Server OneLogin

Looks like AIs support only PEAP-GTC and PEAP-MSCHAPv2

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

But onelogin supports only PAP or EAP-TTLS/PAP

View solution in original post

Occasional Contributor I

Re: IAP-225 Radius Server OneLogin

Yes that is correct, best work around would be using an Active Directory but this solution won't work with the Radius Server OneLogin provides.

Highlighted
Occasional Contributor I

Re: IAP-225 Radius Server OneLogin

As Tim suggested here http://community.arubanetworks.com/t5/Wireless-Access/Controller-integration-with-OneLogin/td-p/249926/highlight/false I tried to configure EAP-TTLS/PAP on my Mac and it works!

IAPs are EAP-agnostic - that means you should define protocol on the client.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: