Controllerless Networks

last person joined: 20 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

RADIUS server in trusted domain

This thread has been viewed 1 times

  • 1.  RADIUS server in trusted domain

    Posted Apr 07, 2016 07:56 AM

    Hi all.

    I hope I can get some assistance with this issue so let me try explain.

    HQ has a bunch of 105s with Enterprise authentication and all the devices setup on the RADIUS server (the Domain Controller here) and all works as you would expect.  Laptops auto sign into the WiFi with the logged in user ID and PW when taken off the wired LAN.

    We have some remote sites with 205s where the users and laptops are on HQ's domain so they all work as expected also.

     

    The issue is:

    I recently setup three 205s in one of the remote sites whih is on a trusted domain and not the same domain as HQ. I set these APs up as clients on the Domain Controller here in HQ.

    If a user with a laptop from the HQ domain goes to the remote site, they can connect and authenticate onto the Enterprise wifi with no issue.

    However users on laptops on the remote site's Domain cannot login to the wifi either in the remote site or when they come onsite in HQ.

    They get the baloon in the bottom right informing them of this and they get a errors in the local System Event Viewer.

    The source of these erros is 'Schannel' and they are:

    Event ID 36888: The following fatal alert was generated: 48. The internal error state is 552.

    Event ID 36882: The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

     

    So I am hoping someone can point me in the right direction here.  What needs to be setup differently to allow the other domain's laptops to connect to the wifi network?

     

    All help appreciated as I am under pressure in work to get these Arubas working down in that remote site.

     

     

     



  • 2.  RE: RADIUS server in trusted domain

    EMPLOYEE


  • 3.  RE: RADIUS server in trusted domain

    Posted Apr 07, 2016 09:38 AM

    Thanks for that response and it encouraged me to research the Remote RADIUS options which results in more questions...

     

    My confusion is that all laptops on the HQ domain can connect to the wifi in the remote site with no options.

    So the APs in the remote site have a network that looks back to the HQ DC for it's RADIUS.

    Do I need to setup a remote RADIUS server group on the remote DC (which is in a different domain) and point that at the HQ DC?

     

    Also, if a laptop from the remote domain is here in HQ, then it is talking to APs which are looking only at the local domain for RADIUS, right now they cannot connect so what do I need to do there?

     

     

    I appreciate it is confusing for me to describe...so let me try clarify.

    Site 1 - DC with RADIUS and APS that point to this RADIUS.  Site 1 domain laptops connect no problem.  Site 2 domain laptops fail to connect.

    Site 2 - DC without RADIUS configured.  APs point to Site 1 RADIUS.  Site 2 domain laptops fail to connect to wifi but Site 1 domain laptops connect fine.

     

    So the issue does not appear to be location but the Site 2 domain...no laptops from there can connect to the wifi in either site whereas Site 1 domain laptops can connect fine in both sites.

     

    So I am worried about making changes to the APs settings in Site 2 as they work fine for Site 1 laptops....what do you reckon?

     



  • 4.  RE: RADIUS server in trusted domain

    EMPLOYEE
    Posted Apr 07, 2016 09:55 AM

    The laptops are not in the same domain, right?

    How are the domains related?

     



  • 5.  RE: RADIUS server in trusted domain

    Posted Apr 08, 2016 09:13 AM

    Hi there.

    Yes indeed the laptpops are on different domains.

    So in this situation there are two domains - connected via a 2-way external trust.

     

    I need to find out how to set the RADIUS etc. up so that laptops from both domains can indeed connect to the enterprise wifi from both sites as, as it stands, laptops from Domain 1 (HQ) can connect in both sites and laptops from Domain 2 can't and get the cert errors as detailed above.

     

    Cheers!

     



  • 6.  RE: RADIUS server in trusted domain

    Posted Apr 15, 2016 06:00 AM

    Hello there.

     

    Can anyone advise how I go about looging a ticket about this so I can get official support?

    As it stands the three Aruba 205's I have in that site are useless and I need a solution.

     

    Cheers.



  • 7.  RE: RADIUS server in trusted domain

    EMPLOYEE
    Posted Apr 15, 2016 06:29 AM

    You can send an email to support@arubanetworks.com



  • 8.  RE: RADIUS server in trusted domain

    EMPLOYEE
    Posted Apr 15, 2016 07:32 AM

    Quite frankly, the easiest way to do this is to stand up a radius server on both domains and dedicate an SSID to each domain that points to each radius server.  The radius proxy is another way, but it involves all clients trusting the server certificate on the radius server, which might or might not be doable, based on if you have control of group policy in both domains.  

     

    Standing up a separate radius server and a separate SSID for each domain could eliminate your trust issue and keep things separate.