Wireless Access

Hello all!

 

My first time posting here. I would like to know if it worth/possible to upgrade my 3200 Controller from 6.1.3.9 to the latest 6.3.1.8?

If so, where can I find the procedure for doing so?

Also, having problems making an AP-105 into a Campus AP. I will make another thread for this one.

 

Thanks

#3200

You would need to purchase the extra memory kit to upgrade the controller before going to 6.3

Would I gain much from upgrading?

 

There are many new features, but some may not be available with the legacy 3200 controllers.

Don't make the leap from 6.1 to 6.3 in one go if its a production network and you need a seamless upgrade. I've seen some issues with the config once upgraded, so I'd recommend 6.1 > 6.2 > 6.3.

Ok, good idea... but not sure if I realy need to upgrade yet.

I am still having issues with my Windows 7 users when they are forced to change their password, it will not let them do it through wifi!

I might be missing something else.

Thats not a wireless issue that would be fixed by controller code. It takes some changes on your RADIUS server.

Yeah, I need to get intimate with my RADIUS server.

I read somewhere that I have to make one on a 2008 or newer server.

Right now, I have a 2003 server which is probably why I'm having these problems.

 

Tman,

 

It should work on Windows 2003 server as well.

 

Hmmm, realy?

The installer tried to configure it last year, yes it has been that long and not working yet, that he said we needed a Windows 2008 domain controller for Windows 7/8 options (aka:to be able to change user passord when expired!)

Should I start another thread for this? I would realy like to get this up and running...it is a pain in the a$$ right now!

 

Thanks

Your problem is not being able to change passwords on the desktop? Please explain the steps and what is not working. Can new users who have never logged into a laptop wirelessly, login?

To get the full functionality and control of Windows 7 laptops outside of wireless you absolutely need a domain controller that is 2008 and greater for all of the group policy stuff. Your 2003 radius server, through machine authentication should allow your users to change passwords over wireless.

cjoseph, no, a new user that hasn't yet authenticated on a wireless laptop cannot login.

Neither can any user change his password when it has expired.

I know that to have all gpo's related to Windows 7 that I must have a 2008 or greater DC server but always doubted that it was needed concerning passwords!

 

Tman,

The key to what you just said is allowing machine authentication to occur on your radius server. Your rule on IAS will frequently allow groups of users to authenticate, but it must also allow the domain computers group to authenticate, as well.

Would you happen to have any screenshots as to where I would make this possible?

I haven't played with IAS much, so any help would be appreciated.

Thanks!

http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/1025/1/IAS+Config.pdf

 

This is just a document to configure IAS from scratch.  To make changes to an existing environment, you should get someone who knows the impact on what you are doing currently to make the changes.

I'll have a look.

Thanks!

Ok, well I can now authenticate new users that never logged in on a laptop... BUT... I am still unable to change the password if it is expired.

All options in RADIUS are activated for a user to be able to change their pasword but still does not work.

 

thanks!

Tman,

 

That is because with 802.1x unless you are authenticated successfully, your link is down....That means your laptop cannot contact the domain controller to change your password.

 

So, in other words, it can't be done? Right?

 

Our help desk will reset user passwords when they forget their passwords...and force the user to change their temp password by checking the box "user must change password".

I guess this will have to change?

 

Would you suggest I authenticate my users otherwise?

So, I know that there was a time that changing your password over 802.1x did not work, and now it works.  It probably only works with NPS and beyond:  http://www.stevenjordan.net/2013/11/last-updated-november-15th-2013-by.html

 

It was so long ago...

 

So, this is why I need a 2008 server, right?

My Windows 2003's RADIUS server doesn't have the capability to do it?

 

I would check with MSFT ultimately, because it has been so long, but NPS does offer you that capability today.  Best to check with Microsoft and report back to us, just to be sure.  I would not want to suggest an upgrade if it will work with 2003.  It has been so long, that I cannot be sure.  Maybe someone on the list here could provide some context.

Well...I do have a 2008 server that is now an DC.

This is recent so I haven't enabled RADIUS on it, and it is in my "other" site that I can access via WAN (MPLS).

I am still deploying it as it will be replacing an older DC (2003).

I'll give it a try on my 2008 server.

Ok...well, my 2008 Radius server is authenticating my wireless laptop by usename but not by machine name!

FYI, I am not presently using certificates. Is this what I am missing? If so, does it have to be an Enterprise certificate as I do not have that access. Our forest is big and each region manage their own domain.

 

Thanks!

Tman,

 

At minimum, your radius server needs a server certificate.

 

Did you see the article here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/ta-p/80672  ?

Yes, I did see that .pdf but I thought the certificate was mostly for security.

We eventualy will be using certificates. As I asked in my previous message, does it need to be an Enterprise certificate or can it be a standard one? All of my devices will be connecting on my managed domain only.

 

Thanks

 

 

For EAP-PEAP you only need a server-side certificate.  Most people do NOT use Client-Side certificates, which is EAP-TLS.

 

If it is working, you have a certificate installed.

 

If machine authentication is not working, you should check the rules on the NPS server.

 

I haven't yet tried to use a certificate.

I will configure one today and see if this make any changes!

Thanks again

Well, I installed the certificate but as I said it is not an "enterprise" certificate.

Do I have to configure my wifi profile on the laptop to validate the certificate?

I don't see the certificate I just created in the list of certificates available!

 

PS... Can you show me a NPS screen shot of an authenticated wireless device?

Tman,

 

Please start a new thread so that others can follow your issue.

 

Again, if client authentication is working to the 2008 NPS server, you already have a certificate and you don't have to do anything else.

Ok, will do!

Thanks for your help ;)