Security

Hi,

We have setup dot 1x authentication using ldap server. We also want to add internal db in the server group so users which are on internal db can also be authenticated using dot1x. Is it possible? I tried to enable termination on aruba controller but then it doesn't authenticate clients using Radius server.

We need an ssid which can authenticate users both on Radius server and user on internal db.

Please advise.

If you have a radius server that is pointing to LDAP and it is working, that means you have a server certificate on the radius server that your clients trust.  To put local users on the controller and enable termination, you need to issue a server certificate to the controller that your clients ALSO trust.  Have you issued a server certificate to the controller and referenced it in the 802.1x profile on the controller?

How I can make the server to issue a certificate to controller?

If you have 802.1x working on your radius server you must have a certificate authority that issued it a server certificate.  You just need to have that Certificate Authority (CA) issue the Aruba controller a Server certificate to terminate EAP requests.  

Quite frankly, it is not worth the effort of issuing a server certificate for a controller just to authenticate local users on the controller.  It would be easier to find a way to put users on the Radius server locally or in LDAP/.

Yes you are right.

I will setup guest users in AD.

One more quick question. I have created server group and I have setup NAS ID so that on my NPS server I can create rule and that NAS ID when carried into packets should be matched only against the rule which has NAS PORT ID attribute setup on NPS. But this is not happening. Request move on to next rule (which is to authenticate students with different NAS ID from controller) and authenticate a user on the SSID where it should not. Suppose it is authenticating student user on staff SSID.

Any ideas?

The NAS ID and the NAS port ID are not the same thing.  If you configure a NAS-ID on the controller, your rule on NPS should have a NAS-ID that is matching, as well.  On the NPS server, go into the eventviewer Under Server Roles and NPS to see the contents of the incoming request to see what is wrong.

Yes I am going through the logs and nothing is obvious. It was working alright 2 hours ago. I was creating a new ssid and created a new nps rule according new ssid. But as the new rule is below the old rule, it has started to authenticate users based on the new rule as well on the previous SSID. :(

Don't know how :(

Your most specific NPS rule needs to be first.

It is on first. It was working fine.

Can I ask you if I want a rule to be matched and only responds to request if NAS ID matches then how should I achieve this? What should be the parameters at both ends that is controller and nps?

On controller it is NAS ID but on nps it is NAS PORT ID I dont know whats the difference.

The NAS-ID configured in the Radius Server on the Aruba Controller is the name NAS-ID that is seen in the NPS event viewer and can be referenced in the remote access policy.

If you have two different SSIDs and you want to differentiate between them, on the Aruba Controller you will need to (1) Create a new Radius server exactly like the previous one, except the NAS-ID is different (2) Create a new server group and put that new server in it (3) Add that server group to the new AAA profile for the Virtual AP for that new WLAN:

Radius Server Config on the Aruba Controller:

How it looks in the Event Viewer on the NPS server:

How you make it a condition in your remote access policy on NPS:

All good now. Your last post helped me. I was entering NAS identifier at wrong place :(

Thanks a lot.

edit

No I haven't tried that.