Wireless Access

Reply
Contributor I

Aruba 7010 Authentication with Active Directory

Ref# Aruba 7010 controller

we need to enable Active directory authentication with wireless users so each office staff able to use their windows active directory username & password to get the network /internet access.

we are planning to install Radius server on Active directory (which is best option Radius or LDAP)

 

kindly help me to clear the following

 

1. on 7010 WLC how we need to add the authetication server (as a Radius Server or RFC 3576 server).

2. after successfully authenticate with WLC using windows username & password, it team (couple of windows users) required WLC management privilege but normal users doesn't required the controller management access. how can we achieve this.

3. we need to change the captive portal default certificate to third party ssl certificate, what is the procedure for this. then what will be the captive portal new url? 

Highlighted
Guru Elite

Re: Aruba 7010 Authentication with Active Directory

1. Do not use LDAP.  Radius is the best way.  Instructions on how to install a radius server on Windows server and configure the controller is here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

2.  Management Authentication is described in the user guide here:  http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x_XPClient_IAS_Config/Configure_Management_Aut.htm?Highlight=management authentication

3.  An exhaustive description of why and how to change the controller captive portal certificate is here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Aruba 7010 Authentication with Active Directory

thanks cjoseph,

 

please clarify following.

 

1. to achive our requirement which is the best way of adding authentication server, as a simple Radius server or RFC-3576 RADIUS Server.

 

2. Regarding Aruba Management access /permission for IT team. 

  consider total Active directory users are 50 need to access wireless network (so these users need to autheticated with Radius server), out of this users only IT team (5 members) need to have the controller management permission remaining users doesn't have this permission. 

 

as per shared article (http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/802.1x_XPClient_IAS_Config/Configure_Management_Aut.htm?Highlight=management) my understaing is all users will have the management permission.

if possible please mention step by step procedure for the same.

 

3. currnetly cpative portal url is "securelogin.arubanetworks.com" so once we upload and assign new ssl certificate to captive portal, what will be the new url for captive portal. we couldn't find the option to change the url.

Guru Elite

Re: Aruba 7010 Authentication with Active Directory

1.  Add as a radius server.  RFC 3576 is change of authorization, which is an extension of radius, but not required for authentication, so you can skip that for now.

2.  There are a few management roles on the Aruba Controller that do different things:  http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Defaults/Default_Management_User_.htm?Highlight=mgmt-user

You would have to return a radius attribute that will set the user's role to what you want (Aruba-Priv-Admin-User is the attribute in this case), when the user authenticates.  Instructions on how to return an Aruba Attribute from a Microsoft Radius Server is here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-i-go-about-in-doing-Vlan-derivation-against-Microsoft/ta-p/184848

3.  When you upload the new certificate, the URL for the Captive Portal will change to that fqdn.   Detailed information about changing the Captive Portal certificate and why you should do it is here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Aruba 7010 Authentication with Active Directory

Hi, for wireless users for captive portal authentication is it need to install any certificate on user end station devices (PC, mobile) and wireless controller.

Guru Elite

Re: Aruba 7010 Authentication with Active Directory

Users will get an error with the default certificate installed on your controller when you configure captive portal authentication.  You would have to install a publicly-trusted server certificate to avoid that.  After you do that, users would not be expected to install anything on their device.  This is detailed here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Aruba 7010 Authentication with Active Directory

Thanks this is clear,

 

my doubt is that as part of  end user captive portal authentication with radius server, controller send username & password to radius server using MSCHAPv2 / PAP, for this purpose is there any certificate required for controller or in wireless client devices.

Guru Elite

Re: Aruba 7010 Authentication with Active Directory

For Captive Portal, on the radius side it is Pap, not MsChapV2. That does not require a client-side certificate.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Aruba 7010 Authentication with Active Directory

hi cjoseph, 

 

PAP authentication is not supported on windows server 2012R2.

please find the attachment.

Contributor I

Re: Aruba 7010 Authentication with Active Directory

Regarding management permission for IT users, on Radius server on which settings we need to configure the RADIUS VSAs (Aruba-Priv-Admin-User = 2, type= integer),

how can we assign this policy to IT users (do we need to create a seperate radius policy for IT users)

 

is it possible to share with any screenshot.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: