Security

Reply
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

No the option for validating certificates is not enabled.

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Okay.

 

For some reason, your wired 802.1x profile is not working with the certificate on your radius server.  When you turn termination on, that shifts the EAP/Cert function to the built-in certificate on the controller, and that works.  That means your laptop's wired 802.1x profile works with the controller's built in certificate.  Termination and Machine authentication, don't work, however, otherwise you would be home free.

 

The question is why machine authentication does not work when termination is off.  Do you have any special rules on the NPS server that is preventing wired authentication?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Aruba

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Do you have a matching policy on NPS for computer authentication vs. user authentication?  

 

I know you said you don't see anything on the NPS server when the computer tries to authenticate.   Do you see failures in general on NPS?    I've seen a number of NPS installs where failures did not register in the log despite being configured to do so.   If you don't see other failures, run the following:

 

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Hi,

 

We've done some further investigation. We seem to now have the authentication working with Termination OFF and Machine authentication also.

 

In the wired AP profile for the RAP group we had the port ticked as "Trusted". When we unticked this and disabled the termination this worked correctly, see below;

 

Aug 22 13:49:38  eap-id-resp           ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        1      26    Domain\Username
Aug 22 13:49:38  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        65505  200
Aug 22 13:49:38  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65505  90
Aug 22 13:49:38  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        2      6
Aug 22 13:49:39  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        2      167
Aug 22 13:49:39  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65506  379
Aug 22 13:49:39  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65506  239
Aug 22 13:49:39  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        3      155
Aug 22 13:49:39  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        3      69
Aug 22 13:49:39  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65507  281
Aug 22 13:49:39  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65507  191
Aug 22 13:49:39  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        6      107
Aug 22 13:49:39  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        6      107
Aug 22 13:49:39  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65508  319
Aug 22 13:49:39  rad-accept            <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65508  242
Aug 22 13:49:39  eap-success           <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        6      4

 

When we configured the laptop to use machine authentication this also worked see below;

 

Aug 22 13:52:19  eap-start             ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        -      -
Aug 22 13:52:19  eap-id-req            <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        8      5
Aug 22 13:52:19  eap-id-resp           ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        8      32    host/LT19515.********************
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        65513  212
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65513  90
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        9      6
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        9      140
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65514  358
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65514  1434
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        10     1340
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        10     6
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65515  224
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65515  1434
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        11     1340
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        11     6
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65516  224
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65516  483
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        12     397
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        12     343
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65517  563
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65517  153
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        13     69
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        13     6
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65518  224
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65518  127
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        14     43
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        14     75
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65519  293
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65519  159
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        15     75
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        15     123
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65520  341
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65520  175
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        16     91
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        16     43
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65521  261
Aug 22 13:52:19  rad-resp              <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65521  191
Aug 22 13:52:19  eap-req               <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        17     107
Aug 22 13:52:19  eap-resp              ->  2c:76:8a:db:65:10  01:80:c2:00:00:03        17     107
Aug 22 13:52:19  rad-req               ->  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65522  325
Aug 22 13:52:19  rad-accept            <-  2c:76:8a:db:65:10  01:80:c2:00:00:03/Wired  65522  310
Aug 22 13:52:19  eap-success           <-  2c:76:8a:db:65:10  01:80:c2:00:00:03        17     4
Aug 22 13:52:19  station-data-ready     *  2c:76:8a:db:65:10  00:00:00:00:00:00        101    -
Aug 22 13:52:19  station-data-ready_ack *  2c:76:8a:db:65:10  00:00:00:00:00:00        101    -

 

I can confirm also the NPS server sees the requests and processes accordingly.

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Excellent!

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

Indeed! Huge sigh!

 

Are you able to tell me the function of the "trusted" variable. How does it affect the configuration?

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

It would skip authentication if it is trusted. It is essential for with to work. Not sure why it half-works


Colin Joseph
Principal Systems Engineer, ACE
Aruba Networks
cjoseph@arubanetworks.com
512-240-2227

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

So as a trusted port is should essentially drop those packets?

 

Atleast its working now :)

Guru Elite

Re: Windows 7 802.1x Auth via Wired port on RAP-2WG

It should not force authentication

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: