Security

Hey Guys,

Just got some new Aruba/Dell equipment for the office; a Dell W-650 controller and 4 AP-105 access points. I think I've got it mostly up and configured, but I am receiving the following error when I attempt to connect using my Windows 7 test machine.

"Radius Server:           securelogin.arubanetworks.com
Root CA:                    AddTrust External CA Root

The server "securelogin.arubanetworks.com" presented a valid certificate issued by "AddTrust External CA Root", but "AddTrust External CA Root" is not configured as a valid trust anchor for this profile."

I have a RADIUS server set up on Windows Server 2008, and I am able to test authenticate successfully using the built in diagnostic tool. I have imported my own SSL certificate into the controller, and my AP's are in the state "sertified-switch-cert."

From this error I gather that the AP is still attempting to hand out the built in Aruba certificate rather than my own. If this is the case how to I tell the AP's to use my SSL certificate instead?

Thanks in advance for any help, and apologies if this is a newbie question; this is all brand new to me.

The APs don't hand out certificates.  Please note certs are checked against either a) Radius server or b) Controller.

They are ordinarily (by default) checked with the Radius server, or by exception (by non-default) against the controller if you have a feature called "Termination" activated on the controller under AAA-Profile/dot1x profile.

Can you please verify if termination was enabled?  If it is you can disable and that will force the client to interact with the radius server and should alleviate the certificate dependency upon the controller.

..and just to verify you are trying to do a Windows 7 802.1x wireless connection in your test, correct ?

I checked out the termination setting in the AAA-profile/dot1x profile area and it does appear to be unchecked (as seen in the attached screenshot). When I attempt to connect using my Windows 7 client I am simply selecting my SSID it from the list of available wireless networks and clicking connect. I am assuming it knows to connect using 802.1x automatically (but maybe not).

Okay so I've created a new AAA profile and 802.1X profile and made sure the AAA  profile is associated with the correct 802.1X profile, 802.11X authentication server group, and RADIUS accounting server group. I then provisioned all my AP's to the new auth group I created.

Under the 802.11X profile if I leave termination checked I get the same error message as I showed in my original post (or on XP "cannot find certificate" on MacOS "connection timeout"). With the termination option unchecked on my Windows 7 machine the connection will instantly fail (on XP and Mac it will attempt to connect for a while before timing out).

From your post I understand the "termination" option needs to be unchecked in order to get a certificate from my RADIUS server, however that doesn't seem to be happening. Is there an option somewhere I need to check in order to have the certificate distributed to client machines?

Windows XP clients do not "guess" the correct parameters correctly and need to be setup manually.  In specific, you need to make sure that "PEAP" is configured in the wireless definition instead of "SmartCard or other Certificate".  Also, for testing, make sure "Validate Server Certificate" is unchecked, so that you can at least get authentication going.

What guide did you use to setup your server and Controller?

If it is Windows 2008, please use the guide in the thread here to check your steps:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

Thanks for your help so far. I have gone through the guide to check my steps (though many were already completed since this machine is already our DC and already had NPS installed). As per your recommendation I also set manually the connection settings on my Windows 7 client with the following settings:

Security Type: WPA2-Enterprise

Encryption Type: AES

Network Authentication: Protected EAP (and Unchecked "validate server certificate")

Authentication Method: EAP-MSCHAP v2 (using domain credentials)

I believe I am getting a little further now. I am still not able to connect with termination disabled, however I was able to retrieve the following logs using the "show auth-tracebuf" command:

Jul 11 10:12:47  station-up             *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -    wpa2 aes
Jul 11 10:12:47  eap-id-req            <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   5
Jul 11 10:12:47  eap-start             ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:12:47  eap-id-req            <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   5
Jul 11 10:12:47  eap-id-resp           ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   49   host/win7machine.mycompany.com
Jul 11 10:12:47  rad-req               ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 43  253
Jul 11 10:12:47  eap-id-resp           ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   49   host/win7machine.mycompany.com
Jul 11 10:12:47  rad-reject            <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa/192.168.221.30  43  44
Jul 11 10:12:47  eap-failure           <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   4    server rejected
Jul 11 10:12:47  station-held           *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:12:52  station-held           *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:12:57  station-held           *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:13:02  station-down           *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -

From this I gather that the request is actually being rejected at the RADIUS server because of some error in the way I have EAP configured, but I am still not sure what that is. Is there somewhere on the Windows 2008 box I can check for more detailed logs that would reveal the root of the problem? I checked the event viewer, but did not find any details.

There are multiple logging locations on a windoze Radius server.  The event viewer is only one of them.  Pretty confusing to have logs in multiple places, but that's due to the server only doing radius as a part-time process I guess.

What logs have you seen on the radius thus far ... e.g. have you seen the user-deny log messages for each authentication attempt ?  Those are key to understanding what is going on.    

On the NPS side  I assume you have PEAP/MSCHAPv2 selected as the EAP methodology to utilize ?

Yes I have both of those EAP methodologys selected. You can see my settings on the NPS below:

http://i1028.photobucket.com/albums/y345/mckoneds/Aruba/1.png

http://i1028.photobucket.com/albums/y345/mckoneds/Aruba/3.png

http://i1028.photobucket.com/albums/y345/mckoneds/Aruba/3.png

http://i1028.photobucket.com/albums/y345/mckoneds/Aruba/4.png

Thus far the only logs I have seen are the ones I received from the controller. I have not seen any authentication errors on the Windows server, but that could be because I don't know where to look.

I have made one more change as well. On my Windows 7 client I updated the advanced 802.1X settings to specify "user authentication" only, since I do not believe machine authentication will be nessesary (I think???). I am now receiving a different error from the Aruba controller, but a failure none-the-less.

Jul 11 10:22:45  station-up             *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -    wpa2 aes
Jul 11 10:22:45  eap-id-req            <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   5
Jul 11 10:22:45  eap-start             ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:22:45  eap-id-req            <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   5
Jul 11 10:22:45  eap-id-resp           ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   34   mydomain\myuser
Jul 11 10:22:45  rad-req               ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 45  223
Jul 11 10:22:45  eap-id-resp           ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 1   34   mydomain\myuser
Jul 11 10:23:03  eap-start             ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:23:03  eap-id-req            <-  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 2   5
Jul 11 10:23:03  eap-id-resp           ->  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 2   34   mydomain\myuser
Jul 11 10:23:21  station-down           *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa                 -   -
Jul 11 10:23:25  server out-of-service  *  58:b0:35:7d:7b:87  d8:c7:c8:f8:2f:aa/192.168.221.30  -   -    server timeout

Ok so here's a really weird thing. When I use the AAA test utility everything works fine. I can enter my username and password or domain\username and password both will work perfectly fine. I even get a success message in the event viewer:

"Network Policy Server granted full access to a user because the host met the defined health policy."

However when I attempt to connect using my Windows 7 client, I get nothing at all in the event viewer.

EDIT:

Just spent the last 4 hours on the phone with Dell/Aruba tech support. Still can't pinpoint the cause of the issue, even after doing a wireshark trace. We even did a factory reset on the controller and built it from the ground up. Still no closer to answers. It appears the issue is with the RADIUS server though neither myself of the tech could figure out where. Guess I am going to try to set up RADIUS on my Server 2003 secondary DC to see if that resolves the issue. Is there some known RADIUS issue with Server 2008?

Any update on this isssue?

We are facing similar issue and would like to hear from you if its fixed.

Thanks

Shaba,

Please open a separate thread if you are having a similar issue, so that we can learn the details of your problem and work on it.

Done