Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Setting up basic user authentication to active directory (via radius)

This thread has been viewed 16 times

  • 1.  Setting up basic user authentication to active directory (via radius)

    Posted Apr 08, 2015 09:51 PM

     Using Aruba 6.3.1.15

     

    Trying to setup a basic user only auth (to AD) wifi network.  The radius side is fine as I have gone through the AAA test.

     

    But when a client tries to connect it asks for the username and password, but then just says it is unable to connect.

     

    I am new to Aruba so I am probably missing something basic.  Any step by step guide out there or places to check where I may have gone wrong.

     

     



  • 2.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 08, 2015 09:53 PM

    The controller is EAP agnostic. The issue is likely between the client and the RADIUS server.

     

    Which RADIUS platform are you using?

    Did you install a server certificate on the RADIUS server?

    Does the client have the Root CA that signed the RADIUS server certificate?



  • 3.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 08, 2015 10:07 PM

    Windows 2008 R2 server for radius

     

    Ideally for this test network they want is with mininal issues for the user (so only minial use of certs).  The aim is easy of use rather then security.

     

    Server does have a cert.  When the client trying to connect it asking to accept the cert but then says unable to connect. 



  • 4.  RE: Setting up basic user authentication to active directory (via radius)
    Best Answer

    EMPLOYEE
    Posted Apr 08, 2015 11:22 PM

    Please take a look at the document  here:

     

     http://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

     

    ...to see how to set things up.  



  • 5.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 08, 2015 11:29 PM

    Thanks, will take a look.

     

    I am fairly sure I know the answer to this, but is there anyway in which clients can connect to a wifi network with their Active Directoy details without the use of any certs?

     

    Thanks again



  • 6.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 08, 2015 11:39 PM

    At Minimum, your radius server needs a certificate, even when authenticating usernames and passwords.   That is as per the standard.   It is in the document.



  • 7.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 12:16 AM

    Justing looking through the document.

     

    Is there any issues with the Radius server not to be sitting on a domain controller.  We ideally want the radius to be a different server to our DCs.

     

    Is that asking for problems down the line?



  • 8.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 09, 2015 12:17 AM

    It only has to be a domain member.  No problems down the line.



  • 9.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 12:23 AM

    Cool, that is what I thought.

     

    Setup a new server just running radius.  (it is on the domain)

     

    I have setup radius and gone through the certificate part of the document and all went has expected.

     

    Now when using the connection on the AAA Test Server is says AAA server timeout.  I will recheck the radius settings.  Hopefully it is just a typo.

     



  • 10.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 09, 2015 12:24 AM

    Check to make sure you have the controller listed as a radius client, with the correct radius secret.



  • 11.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 05:06 PM

    Okay, so I have a new server in the domain that I have setup as a Network Policy Server (following the document).  This server is not a DC, but is in the domain.

     

    When it comes to the AAA Test Server process, it is just stating AAA server timeout.

     

    Any thoughts on what I may have missed?



  • 12.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 09, 2015 05:08 PM
    Are there any firewalls between the controller and the NPS server?


  • 13.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 05:25 PM

    All firewall settings on the server are off.  Nothing between controller and server.



  • 14.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 06:48 PM

    Resolved the AAA Test Server problem.  It was down to DNS.

     

    But still have the existing issue whereby a client attempts to connect, it asks for the username and password and then says that it is unable to joing the network.

     

    I probably have a setting wrong somewhere in the setup.  Any thoughts on the best place to look.



  • 15.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 09, 2015 07:29 PM
    Take a look in the event viewer in NPS and search for the MAC address.


    Thanks,
    Tim


  • 16.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 08:59 PM

    Right more or less got it sorted.  Issue was that while the main controller was setup as a Radius client the backup controller was not.  And the test AP was working off the backup controller.

     

    So now clients can connect and join the network and all working.  The only remaining issue is that the certs that the clients have to accept is 'not verified'

     

    This is the same issue if it is the aruba cert from the controller or the server cert from the radius server.

     

    I am thinking the best option would be to load a cert onto the controller!  Thoughts?



  • 17.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 09, 2015 09:02 PM
    The not verified will always come up the first time a user connects to the network. The only way to bypass that is to configure network settings via group policy or manually configure the clients locally.


    Thanks,
    Tim


  • 18.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 09:10 PM

    Fair enough.  Only really an issue from windows machines as it prompts a number of times before it goes through.  All other devices (mobile phones and ipads) it is just the once.



  • 19.  RE: Setting up basic user authentication to active directory (via radius)

    EMPLOYEE
    Posted Apr 09, 2015 09:22 PM
    On Windows, it will try machine, then user which is why you see it multiple times.


    Thanks,
    Tim


  • 20.  RE: Setting up basic user authentication to active directory (via radius)

    Posted Apr 09, 2015 11:21 PM

    Thanks for all the help.  Will continue with testing and no doubt come back if I run into anything else.  Cheers