Security

Hi All, was wondering if anyone had any idea of the exact IAP settings for authenticating users via LDAP to a windows Server 2008 Active Directy Server.

I have numerous examples but none seem to work. I have configured an openldap server and authentication works immedietly with LDAP, but NOT with windows domain controller. I have asuccessful bind established but no authentication is happening.

I have the following formats for the filter string:

filter: (&(objectclass=user)(objectcategory=person))

key atrribute: sAMAccountName

I also have tried the following filter attributes also.

(&(objectcategory=user)(memberof=CN=Group,OU=Users,DC=Domain,DC=com)) to no avail.

Does anyone have a working example of the settings for this to function against an AD server?

Thanks

Are you doing PEAP EAP-MSCHAPv2 or EAP-TTLS PAP on the clients?

EAP-TTLS PAP can work in this setup, PEAP EAP-MSCHAPv2 however cannot. Using LDAP you cannot read password attributes from AD. You *can* do a LDAP bind, but for MSCHAPv2 you will need to terminate on AD directly (for this the IAP would need to be domain-joined, but this is not supported). The LDAP bind can only work PAP.

If you want to do PEAP-EAP MSCHAPv2 against AD you will need an external RADIUS server. You could look at FreeRADIUS, Microsoft NPS or perhaps ClearPass.

Hi arjan_k,

I am using PEAP EAP-MSCHAPv2 and have the same issue. What InstantOS does this apply for? According to Instant 6.5.2.0 User Guide, external LDAP server is supported:

Regards,

Julián

I would save time and get an external radius server.  To use an LDAP server with mschap, you need to (1) setup your LDAP server on the IAP (2) Enable Termination on your SSID (3) Install an EAP-GTC client on all of your clients.

You can avoid that by simply using an external radius server; you would avoid having to install software on your clients, and an external radius server would support machine authentication (EAP-GTC does not).

Hi arjan_k and Colin,

Yeah, I was able to authenticate with PEAP-EAP MSCHAPv2 against AD using an external radius server. However, EAP offload feature must be enabled on the IAP in order to work:

What is it referring to with outer and inner layers of the EAP protocol?

Regards,

Julián

You should not need to use EAP offload if you have an external RADIUS server.

Strange because if I disable EAP offload it doesn't work but if I enable EAP offload it does work. Also the EAP offload feature description says that:

NOTE: AP termination is required when using LDAP for authentication, because LDAP doesn't support EAP.

I am using a Windows Server 2012 with AD and NPS configured.

Regards,

Julián

Hi Tim and Colin,

I have made this type of authentication in customer side. The authentication in against an external radius server with AD on it (Windows Server 2016), since the radius server pull the credentials from the AD. I have tried with termination enabled and disabled. With termination disabled doesn't work, however, with termination enabled works.  Is this the expected behaviour?

Regards,

Julián

Can you please elaborate on what "doesn't work" means?

Hi Tim,

I got the logs. Attached.

Regards,

Julián

Attachment(s)

unsuccessful.txt   685 B 1 version

successful.txt   4 KB 1 version

Ok, thank you very much!

Hi guys,

If someone if interested, I solved my issue. I found the following post:

http://community.arubanetworks.com/t5/Controllerless-Networks/PEAP-authentication-failure-Reason-code-23/td-p/71530

I am not sure but I think the default certificate in the RADIUS server (NPS) I was using was not valid:

I requested a new certificate for Domain Controller and now I can authenticate with EAP offload disabled:

I am not sure, but it seems the default certificate I was using before is not valid for authenticating the server. Then I had to enable EAP offlload which uses the Aruba IAP built-in certificate which is valid for this purpose. After using the new certificate, I don't need to enable EAP offload. If someone can confirm this it would be great.

Regards,

Julián

To be clear, the proper way to deploy 802.1x is to install and configure a Radius Server and just point the IAP to it, by configuring a radius server.  EAP-Offload with LDAP is just a workaround from the distant past when people did not have a radius server.  Everyone who has a Windows Server can configure a radius server with a server certificate, and should NOT be using EAP Offload with LDAP.

Why?

- EAP Offload has limitations like not being able to do machine authentication.

- It forces you to configure an LDAP server which does not have alot of diagnostic information in a failure situation.

- Depending on how the passwords are stored in the LDAP server, you cannot do EAP-PEAP and that limits the type of clients you can connect when you configure EAP-OFFLOAD.

I repeat, configure a Windows Radius Server and DO NOT configure Termination or EAP OFFLOAD on an IAP or an Aruba Controller.  

A detailed article on how to configure and deploy Windows NPS is here:  https://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

Hi Tim,

Long time about this post, but I didn't have time to make tests. I have made a test in my office with the same results. I have a Windows Server with AD configured, and I have configured the RADIUS role. When enabling EAP offload I can connect to the network, but when disabling EAP offload I can't. I have collected the IAP logs, and I have looked at the RADIUS server side, but I don't know the next step... Do you know the problem? I don't know how to check the EAP register files either. I have attached the IAP logs and a RADIUS server screenshoot.

Thanks in advance,

Julián

Attachment(s)

ap_logs.txt   2 KB 1 version