Hi,
I'm trying to setup a RAP-2WG so that a we can use the e0/1 port for wired access on our LAN.
I have successfully configured the relevant profiles so that this can be done without a AAA Profile.
I now want to get the client to authenticate itself before any access is allowed. And this is where I'm having the problems.
Were using Microsoft NPS for the RADIUS server. Its the same server that authenticates our wireless users.
I've setup a new Connection Request Policy and a Network Policy.
The Connection Policy has a condition of NAS Port Type - VPN or Ethernet
The Network Policy has a condition of NAS Port Type - VPN or Ethernet and Windows Groups - Domain user or Domain computers.
Authentication method is Microsoft PEAP with EAP or MS-CHAP v2.
I have set up the profiles for AAA. I have a AAA profile called "Wired" and in that I have a 802.1x profile called "Wired" along with the 802.1x server group named "Wired".
The server group has the server "Wired" which points to the IP of the NPS server.
The 802.1x profile is pretty much default only I have set termination parameters to enabled and selected eap-peap and eap-mschapv2. (if this isnt selected then the NPS server doesnt even see the requests)
I have then assigned the AAA profile to the ethernet interface port 1 configuration in the AP group that the RAP is located in.
My client always fails to authenticate. The client is set to PEAP, remember credentials, EAP-MSCHAPv2, enable fast reconnect and ticked, automatically use windows logon if any. In advanced, computer authentication is specified.
This is the output from the Aruba controller and the debug below that
Aug 22 11:12:57 station-up * 2c:76:8a:db:65:10 01:80:c2:00:00:03 - - open system
Aug 22 11:12:57 station-up * 2c:76:8a:db:65:10 01:80:c2:00:00:03 - - wired station
Aug 22 11:12:57 station-term-start * 2c:76:8a:db:65:10 01:80:c2:00:00:03 101 -
Aug 22 11:12:57 eap-term-start -> 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:12:57 station-term-start * 2c:76:8a:db:65:10 01:80:c2:00:00:03 101 -
Aug 22 11:13:02 client-finish -> 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:13:02 server-finish <- 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:13:02 server-finish-ack -> 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:13:02 inner-eap-id-req <- 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:13:02 inner-eap-id-resp -> 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - - host/LT19515.*****************
Aug 22 11:13:02 eap-mschap-chlg <- 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:13:02 eap-mschap-response -> 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired 9 49
Aug 22 11:13:02 mschap-request -> 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired 9 - host/LT19515.*****************
Aug 22 11:13:02 mschap-response <- 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - - host/LT19515.*****************
Aug 22 11:13:02 eap-mschap-chlg-retry <- 2c:76:8a:db:65:10 01:80:c2:00:00:03/Wired - -
Aug 22 11:12:57 :522035: <INFO> |authmgr| MAC=2c:76:8a:db:65:10 Station UP: BSSID=01:80:c2:00:00:03 ESSID=n/aVLAN=101 AP-name=Bayman_BCH
Aug 22 11:13:02 :522042: <NOTI> |authmgr| User Authentication Failed: username=host/LT19515.******************** MAC=2c:76:8a:db:65:10 IP=0.0.0.0 auth method=802.1x auth server=Wired
Any help is appreciated. Have been severely banging my head against a wall. (the stars in the output have been inserted in place of my domain)
Thanks
Ian