Controllerless Networks

I am trying to do 802.1x authentication with IAP-135, which is RADIUS Server to talk with IAP-135.

i have setup a RADIUS Server (via Windows Server 2012)

 

I am confused with the IP assignment.

 

1. When I configure 802.1X, I created a RADIUS client. The IP address of this RADIUS client should comes from IAP-135 (Master).

 

2. When I clicked on the 'Security' tab - Authentication Server, I created a RADIUS Server. This IP address should come from the IP address of my RADIUS Server (WIndows Server 2012)

 

Am I right? Any misconfigurations? Any missing steps?

 

When I login to Instant User Interface, I discovered there is a client available on the instant network. The IP address of this client belongs to?

 

Pls advise.

Did you setup a WLAN?  If you did not, the initial "Instant" SSID is still broadcasting and accepting clients.

I have a created  WLAN, domain: WLAN.net.

Did you delete the instant WLAN, or is it still broadcasting?

I created a new SSID = TestIAP, now the Istant SSID is erased.

Add VC IP address and add that as the radius client , make sure you enable dynamic radius proxy under the system settings

Dynamic radius proxy = enabled.

 

But the IP address of Virtual Controller should not 0.0.0.0 .

This IP address comes from where?

 

Please advise.

What is the reason for enabling  dynamic radius proxy?

enabling dynamic radius proxy is so that source IP address is always that of the virtual controller so you will only need one client entry on your radius server; this is no matter what access point a client authenticates to.  Where do you see 0.0.0.0?

Under the system's settings, General tab.

When I install Certificate Authority, the setup type is standalone. I can't select Enterprise type. Could this be the root issue?

Suggestforme,

 

You can make that any ip address on the subnet.  Consider it the consistent address that the Virtual Controller will have, no matter which IAP is the master controller.  http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/virtual_controller/Virtual_Controller_IP_Ad.htm

 

When you have enable dynamic radius proxy enabled, it also will always be the source ip address of radius authentication to your radius server.

cjoseph,

 

I followed the steps listed in this link,

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

 

However, the server I am using is Windows Server 2012.

 

I can't authenticate against my Windows Server 2012.

Do not enable termination on instant.  You should try authenticating with a smartphone first.  Do you see anything in the eventviewer in the Windows 2008 server?

 

cjoseph,

 

There is no events displaysed on Event Viewer in Windows Server 2012.

 

But my WLAN.net network (in the WIndows Server 2012) shows limited access. See screenshot.

Are you trying to authenticate a server to the wireless?  Limited access means that there needs to be DHCP on that VLAN.

You should start by authenticating a smartphone to the wireless, not a server.

If you do not see anything in the event viewer, you do not have the radius server in the IAP pointing to your radius server you are using for authentication...

cjoseph,

 

I am try to perform Layer 2 authentication with RADIUS Server with IAP-135.

 

How should I go about doing it?

Suggestforme,

 

Please look at this link here: http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/WLAN_SSID_conf/ConfiguringSecuritySettings.htm to look at the necessary parameters.

cjoseph,

 

I am confused with the IP assignment.

 

1. When I I created a RADIUS client in NPS(Windows Server). The IP address of this RADIUS client should come where?

 

2. When I clicked on the 'Security' tab (in Instant UI) - Authentication Server, I created a RADIUS Server. Does this IP address should come from the IP address of my RADIUS Server (WIndows Server 2012)

 

3. I opened DHCP Manager, I clicked on Scope (refer to attached screenshoot). I saw 2 address pools. What does the range of this IP addresses imply? Please advise.

cjoseph,

 

I looked at the attached link and followed the instructions, I can't seem to authenticate RADIUS Server to "talk" with IAP-135

1. When I I created a RADIUS client in NPS(Windows Server). The IP address of this RADIUS client should come where?

 

that should be the IP address of you virtual master IAP, if you have just one, that IP

 

2. When I clicked on the 'Security' tab (in Instant UI) - Authentication Server, I created a RADIUS Server. Does this IP address should come from the IP address of my RADIUS Server (WIndows Server 2012)

 

yes that should be the IP of your radius server

 

3. I opened DHCP Manager, I clicked on Scope (refer to attached screenshoot). I saw 2 address pools. What does the range of this IP addresses imply? Please advise.

 

that is a bit out of scope for us, it is your network, you should know what is going on or ask someone who can tell you.

 

basically it shows two dhcps scopes, one in the 10. range and one in the 192.168. range.

it might be better to start a little simpler, create an open network or one with a WPA2 key and get that working. ones it works you can look at dot1x.

boneyard,

 

I managed to create an open network in the Instant UI.

 

I would like to focus on doing 802.1x authentication.

creating is one thing, but were you able to connect with a client and get network access?

 

as for dot1x, what exactly is holding you back now, you asked two questions about which IPs to use, those answers you have now. what isnt working, have you tried to connect? what happens?

 

NPS is a radius server, but the reporting isnt that good. have you checked the event viewer for radius related messages?

Hi boneyard,

 

With the issue on IP address assignment, I can't perform L2 authentication with Aruba Instant. That's holding me back.

I followed the steps configuration.

what issue of IP assignment? doesn't your IAP get an IP? sorry but you lost me. if you feel up to it please try to clearly describe what your current issue is.

Hi bomeyard,

Let's go the basics:

 

I want to perform 802.1x authentication, therefore,

my supplicant: my working laptop

my authenticator: my IAP-135 device

my authentication server should be my windows server 2012 (correct me if I am wrong).

 

Currently, I managed to create a Test SSID - (VC assigned IP, open, unrestricted.)
Instant SSID has been erased.

 

I created a server - Test.wlan.net (domain), with my IP address: 10.10.10.201 (I assume this is my RADIUS Server.)

 

In Open UI, under System Settings, I added an authentication server which the ip address should be my RADIUS Server.

My VC IP for Open SSID shows: 0.0.0.0

Master: 169.252.254.98 - This master IP is?

 

By right, when I click on Open SSID, I should be ask for my credential (PSK) to authenticate?  Am I right?

 

 

i would assume the IP is a bit different and an auto assigned apipa ip which means your dhcp doesnt function, can you check that when you connect a laptop in that network where the IAP is now it gets a good DHCP address?

 

how many IAPs are in the network? just one, nothing else around?

 

also an open network doesnt have a PSK, it is just open. a WPA(2) network would ask for a key.

 

you can configure the VC address your self if you want to.

Hi boneyard,

 

I only have one AP - IAP-135

 

The Test SSID which was created, the Security Level is Open, Role: Unrestricted.

 

I have attached a screenshot of Test SSID details.

No good DHCP address found.

you attached a screenshot of the windows IP settings which seem to be ok, you get an IP and not an odd one in my opinion.

 

what is the problem?

Hi boneyard,

Now I have connected my IAP-135 to a switch. (Switch can ping to IAP-135 & DHCP Server)

Switch cannot ping to NPS.

IAP-135 with the IP add: 192.168.X.X

Setup a DHCP-client with the IP add: 192.168.X.X

NPS(RADIUS) also connected to a switch too, with IP add: 192.168.X.X

IP addresses are of the same subnet mask, should be able to ping.

 

My NPS and IAP-135 does not communicate. Destination host unreachable.