Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba 3200 Wireless with Radius Authentication

This thread has been viewed 0 times

  • 1.  Aruba 3200 Wireless with Radius Authentication

    Posted Feb 05, 2014 04:15 PM

    Hey guys, 


    So I set up an SSID and attached it to a RADIUS server. Everything works except one thing I am not sure about.

    I wanted to test what happens when you change the password in AD, would it kick the user off their phones and other wireless devices or not?

    The first time I tested it, it worked but when I tested it again the clients never got kicked off. Is there a way to specify when ARUBA checks the RADIUS server for credentials?


    #3200


  • 2.  RE: Aruba 3200 Wireless with Radius Authentication
    Best Answer

    Posted Feb 05, 2014 05:29 PM

    for captive portal login

     

    read here:

    http://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_UG/Firewall_Roles.php

     

    Re-authentication Interval (optional)

    Time, in minutes, after which the client is required to reauthenticate. Enter a value between 0-4096. 0 disables reauthentication.

    Default: 0 (disabled)

     

    ------------------------------------------------------------------------------------------------------------------------------------

    for 802.1x

     

    read here:

    http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/802.1x.php

     

    use re-auth option: (u can apply it on any

     

    Reauthentication

    Select this option to force the client to do a 802.1x re-authentication after the expiration of the default timer for re-authentication. The default value of the timer (Reauthentication Interval) is 24 hours. If the user fails to re-authenticate with valid credentials, the state of the user is cleared.

    If derivation rules are used to classify 802.1x-authenticated users, then the Re-authentication timer per role overrides this setting.

    Default: disabled



  • 3.  RE: Aruba 3200 Wireless with Radius Authentication

    Posted Feb 05, 2014 05:42 PM

    Are you using WPA2-enterprise 802.1X with EAP-PEAP MSCHAPv2?

     

    If the password is changed in AD the user should also change it on his/her device. Depending on type of device this could mean the user has to "forget the network" and then re-configure it. This is one of the big down-sides of PEAP.

     

    For BYOD deployments you should consider using ClearPass OnBoard which will provision a certificate on the device and from then on EAP-TLS is used.

     

    If you have domain joined Windows devices you can just push down a GPO with the correct network settings and the users don't have to worry about changing their password on the 802.1X profile as well.



  • 4.  RE: Aruba 3200 Wireless with Radius Authentication

    Posted Feb 06, 2014 12:27 AM

    We are using radius with PEAP for our (BYOD) it's big hassle because everytime users change there password in AD which used to be every 90 days they would not delete the profile on their phones then cause the radius to lockout there account for 24 hours. This produces a lot of help desk calls. We are going to move to clearpass possibly this year.  Also when users bring in windows 7 devices the default settings are setup for AD users but becuase they are not AD users on our network (BYOD) again the windows profile has to be configured not to verify the certificate, and not to use there local credentals from there home laptop. I suggest clearpass we had to go with radius because we didn't have the budget for it clearpass before but I'm hoping this year.



  • 5.  RE: Aruba 3200 Wireless with Radius Authentication

    EMPLOYEE
    Posted Feb 06, 2014 07:24 AM

    ^ Not validating the server certificate is a very, very bad idea.