Security

good morning everyone

Thank you very much in advance and I hope you can help me.

We currently have an Aruba controller and we want to authenticate through a captive portal that is connected to a Linux LDAP. The connection is successfully established but when we do the test with the aaa test-server pap testldap user and password command, the output of the command indicates that the authentication has failed.

See configuration and command output.
Cordially
Andres Felipe Lopez G

Unless you have diagnostics on the ldap server to tell why it is not working, it is difficult on the controller side to tell why something is rejected, unfortunately.

Thanks for the answer, unfortunately I have no control over Linux, I will request it and share it.

Cordially,
Andres Felipe Lopez G

What you can do, is connect to your LDAP server using something like LDAP Browser to ensure that you have all of your parameters correct.

Yes, I have done it with several software, LDAPEXPLORER, JXPLORER, LDAP.EXE, and it connects well, but authentication fails with the controller.

Cordially
Andres Felipe Lopez G

Did you connect with a username and password, or did you do an anonymous browse?  Quite frankly, it would be much easier with radius if possible.

Hello,

The connection was made with username and password, with a radius if it would be easier but the client refuses to mount a radius on his server.

Cordially
Andres Felipe Lopez G

good day

The client has already shared the LDAP server LOG. Is it possible to initiate a connection from the controller that does not use TLS?

LOG:

"[04/Sep/2019:16:07:15 -0500] EXTENDED RES conn=25374 op=0 msgID=1 name="StartTLS" oid="1.3.6.1.4.1.1466.20037" result=52 message="StartTLS cannot be enabled on this LDAP client connection because the corresponding LDAP connection handler is configured to reject StartTLS requests. The use of StartTLS can be enabled using the ds-cfg-allow-start-tls configuration attribute" etime=1"

thank you
Cordially
Andres Felipe Lopez G

With your parameters, it should be in cleartext, so you might have hit a bug.  Ask the admin if they can run the LDAP daemon on port 389 (the default ldap unencrypted port) and change the Aruba Controller's LDAP port to 389, as well and retry.

good day

We are validating with the LDAP server administrator the possibility of changing the port to 389, meanwhile I want to make a query, have you had the opportunity to make the connection between a controller and an LDAP server without having a radio server in the middle?

I want to rule out that it is possible or not, make this connection ...

Cordially
Andres Felipe Lopez G

Yes, but LDAP is only really good for Captive Portal.  If you use LDAP with 802.1x (encryption on wireless), you would have to install software (a supplicant) on most clients.  If you use Radius, you would not need LDAP to do Captive Portal or 802.1x

Perfection, I am glad to know that it is possible, in my case I require it for captive portal.

I am still waiting for the administrator of the LDAP server, thank you very much for your help, I will be reporting the progress.

Cordially
Andres Felipe Lopez G

good day

I tell you that the provider that manages the LDAP service tells us that it cannot do the port change, the previous thing because of that service there are other applications that are currently operating in production.

I ask you a question, what I can understand is that the controller is trying to establish a TLS connection on port 1636, however, the LDAP service does not have it enabled and therefore the connection test cannot be established. If I am correct, is there any way to tell the controller not to initiate a secure connection?

What I see is that the controller by simply changing the port to 1636 thinks it is a secure connection, but it is not, and that is why the connection test fails. The problem is that if I change the port to the controller to 389, the LDAP service is listening for requests is through port 1636 and the connection would never occur.

Thank you very much for your help, I hope I can another way to make this connection

Cordially,