Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x in front of token USB.

This thread has been viewed 0 times

  • 1.  802.1x in front of token USB.

    Posted Jul 01, 2012 02:38 PM

    Hi AirHeads Forum.

    I'am deploying those days controller in front of radius (windows 2003).

    I added as normal the radius and build 802.1x auth server group + added the right AAA profile to the vap.

    (when testing auth u&p in AAA-test everything working gr8)

    the client in this origination using USB token (that got the cert on it).

    I dunno what i'am doing wrong - but client keep stuck in validating identity .

     

    Anyone here got advises?

     

    Please S.O.S



  • 2.  RE: 802.1x in front of token USB.

    Posted Jul 01, 2012 11:55 PM

    Can you verify what authentication type the IAS server is using?   If you can to a AAA test server successfully, you know the radius communicaiton is functioning, but it seems as though either the client is not configured to use EAP-TLS or no matching radius policy on IAS is setup to use EAP-TLS.    Looking at the System Event log on the IAS server at the time of authentication should give you some information about the logon attempt/failure.   Can you share that?



  • 3.  RE: 802.1x in front of token USB.

    Posted Jul 02, 2012 06:02 AM

    1. We’re using only MS-CHAP v2 authentication.

    2. We have a progress and currently we’re getting the following errors on the RADIUS server: Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 7/2/2012 Time: 11:59:33 AM User: N/A Computer: RINGMASTER Description: User Adi-g@orbotech.org was denied access. Fully-Qualified-User-Name = orbotech.org/ORB/ISL/Adi Gamliel NAS-IP-Address = 172.23.17.60 NAS-Identifier = aubra-master Called-Station-Identifier = 000B866DCC3C Calling-Station-Identifier = 00166F3F1BE1 Client-Friendly-Name = Aruba Client-IP-Address = 172.23.17.60 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 0 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = Policy-Name = Aruba 3600 Adi Authentication-Type = EAP EAP-Type = Reason-Code = 22 Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 .... €



  • 4.  RE: 802.1x in front of token USB.

    Posted Jul 05, 2012 10:52 PM

    I think that is where the confusion is.   In your original post, you mention using certificates on the USB device.   Using certificates means using EAP-TLS, not MS-CHAP v2.   The "Reason Code" in your evcen tlog indicates a mismatch in teh EAP type.   For example, the client is trying to use a certificate (EAP-TLS), but the IAS policy only supports  PEAP-MSCHAP v2 or something else.