Security

Hey all,

First time posting on here and I haven't been able to find a solution to this issue. I'm new to our Aruba enviornment so I apologize for any errors.

I'm a network tech working in a district that has two wireless controllers(6000s). Previously they were set up redundantly as primary/secondary and handled all access points on all sites. Now we've set up what was the secondary controller as the primary on another site. 

Before we moved the controller both windows and mac machines could authenticate using 802.1x/PEAP MSCHAP. Now windows machnes can ONLY authenticate on the controller that was NOT moved. Our 2nd site that now has it's own wireless controller and allows MAC machines to authenticate but not windows machines. I've made sure that the windows machines trust the certificate and that within the controller "enforce machine authentication" is unchecked. Both controllers were setup by a network engineer highered from outside our organization, so I'm not sure what he did differently when setting up the second controller as another primary. I've looked around the airheads forums and haven't found a thread with the answer.

Any and all help is appreciated.

What is the RADIUS source for this network?  What do the logs on the RADIUS server say for the Windows clients vs. the Macs?

I just found out that my Radius server(IAS) wasn't set to Log locally. So I suppose I'll have to wait to answer your question until I get some events logged now that i've set it up.... Sorry about that 

Bnewtonus,

You should not have to log locally.  It should all show up in the Event Viewer....

Okay, out of event viewer this is what I get when I try to login from site 2 on a windows machine:

User bnewton was denied access.
 Fully-Qualified-User-Name = usd260.local/ESC/ESC/CSD/BNewton
 NAS-IP-Address = 192.168.0.6
 NAS-Identifier = Dot1X-HS
 Called-Station-Identifier = 000B86143C80
 Calling-Station-Identifier = 00215C7DF81F
 Client-Friendly-Name = DHS-Wifi
 Client-IP-Address = 172.18.128.241
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 0

When I setup a log file here is what I get: 

192.168.0.6,bnewton,06/20/2014,11:29:52,IAS,DC1,4128,DHS-Wifi,4,192.168.0.6,5,0,32,Dot1X-HS,61,19,31,00215C7DF81F,30,000B86143C80,6,1,12,1100,26,0x000039E70508555344323630,26,0x000039E706104448532D453130302D4150323236,26,0x000039E70A05444853,26,0x000039E70C02,4108,172.18.128.241,4116,0,4155,1,4154,Use
Windows authentication for all
users,4129,USD260\bnewton,4149,Dot1X-Internet-1-HS,25,311 1
172.18.0.19 06/19/2014 01:30:12
27275,4127,11,4130,usd260.local/ESC/ESC/CSD/BNewton,4136,1,4142,0
192.168.0.6,bnewton,06/20/2014,11:29:52,IAS,DC1,4128,DHS-Wifi,25,311 1
172.18.0.19 06/19/2014 01:30:12
27275,4127,11,4130,usd260.local/ESC/ESC/CSD/BNewton,4149,Dot1X-Internet-1-HS,4129,USD260\bnewton,4154,Use
Windows authentication for all
users,4155,1,4116,0,4108,172.18.128.241,4136,3,4142,16

Not sure if that is any help!

You have to go all the way to the bottom to the event viewer message to see the reason why the user was denied.

Sorry about that. Reason: "Authentication was unsuccessful because an unknown username or incorrect password was used." 

This doesn't makes sense to me, since I'm logging into the same domain with the same SSID we use at the other sites. At the other sites that are on the first controller I can use windows or mac. Here I can only use MAC. 

Check to make sure that the FQDN username that the controller sees in the event viewer and the AD username are the same.  It is possible that your Windows computer is adding something to the username that makes it not work.  Check the whole eventviewer message and look to see if all of the parameters make sense.  Also make sure that the username is in the OU in AD that it says it is.  If not, that means that the user does not exist for some reason.

These are all guesses.

I haven't checked that, cjoseph. I will. Thanks.

Despite what the error is saying about username/password, can you have the client not validate the server certificate/unchecked?   Also, on the 2nd controller, check to see if termination is enabled in the dot1x profile and what certificate it is using if so. 

Termination is not enabled in the dot1x profile. I checked that after seeing some other posts here. I'll have to try to to login without having the client validate the cert on Monday. Thanks for your help thus far, gents.

Okay gents, great success! When I uncheck "validate server certificate" in the wireless network settings I am able to connect. I guess I'm not understanding why the certificate can't be validated on windows machines but it can on MAC machines.

Thanks

Is your RADIUS certificate signed by a public CA, internal CA or self-signed? 

You should avoid configuring your clients to not check the server certificate. You are severly compromising credentials when configured this way.

For the controllers we have used a CA(Geotrust) but it looks like our radius server uses a self-signed cert. When I use the "connect to these servers" after telling the network EAP properties to validate the certifcate and I enter the cert name into that box it works. The name i'm entering is the cert I'm seeing in the MAC keychain access as trusted.  Why would macs automatically find that cert and trust it, and windows machines wouldn't, but ONLY on a certain controller? Is there a setting within the controller that pushes that cert out to windows machines as trusted?

 My apologies for any confusion I'm very new to this network. 

Could one of your controllers be pointed at another RADIUS server?

I actually wondered the same thing. I opened each controller side-by-side and saw that both controllers were pointing to the same radius servers under the Configuration-->Authentication--->Servers--->Radius Servers area. Also, if it was an issue with the controller pointing to the wrong RADIUS server, wouldn't that mean that no machines could connect, MACs included?

---

@bnewtonusd260 wrote:

Okay gents, great success! When I uncheck "validate server certificate" in the wireless network settings I am able to connect. I guess I'm not understanding why the certificate can't be validated on windows machines but it can on MAC machines.

 

Why would macs automatically find that cert and trust it, and windows machines wouldn't, but ONLY on a certain controller? Is there a setting within the controller that pushes that cert out to windows machines as trusted?

 

---

Every OS behaves different when being presented with a certificate from a RADIUS server on 802.1X authentication.   Some prompt to accept (and it remembers your selection) and others don't prompt by default (some versions of Windows).

The fact that you can connect when unchecking or connect when specifying the cert name, simply means the client did not trust the certificate it was presented by the RADIUS server.   I agree with Tim, unchecking this is NOT a solution, it was merely a test to see if the certifcate was the problem (which it seems to be).   The controller has no play in this with regards to pushing the certificate out.    Windows supplicants are a little bit more difficult when it comes to this.   You can manually configure your settings; but most Windows environments will use Group Policy to push out the settings appropriate for your network. You can also use tools like ClearPass QuickConnect to push the settings out for you.

To add to your last question.  If both controllers are using the same NPS server and these clients worked before, do you by chance have two different NPS policies being hit on the Windows server that are using 2 different EAP certificates?

Lastly, I'd suggest you push your Windows configs where  you can with GPO or QuickConnect to enforce the validate server certificate and specify the proper certificate, etc.

Have you tried this with more than one Windows machine?   If the wireless profile on Windows is set to "Automatically use my Windows logon name and password" is there is a chance the user is logged in with an older password (cached locally)?   Can you uncheck this field and the "Remember my credentials for this connection time" and see if you get the same failure when manually typing in the username/password combination?

I have tried it on several different windows machines. I also have made sure that the "Automatically use my Windows logon name and password" is unchecked. I also was manually putting in credentials each time. I made sure it wasn't remembering past credentials.