Wireless Access

Reply
New Contributor

Aruba Controller + FreeRadius + OpenLDAP using SSHA

Hello

 

We are having an issue at one of our customers: a local University.

They have 2 FreeRadius servers and 2 OpenLDAP servers that are installed and configured for the infrastructure.

 

All the passwords for the more than 25k users are stored in the LDAP database using SSHA encryption. The passwords cannot be changed because there are a number of external services that are using the LDAP database and cannot be reconfigured.

 

They have purchased Aruba Instant acces points and one Aruba Controller and they want to deploy a wireless network using 802.1x authentication and the existing infrastructure.

 

We have tried setting up both Aruba Instant Virtual controllers and Aruba controller and we cannot find a common setting that can be used by all the devices connected to the network.

 

Basically, the customer has:

- Windows 7, 8 10 laptop computers

- Apple MacOS laptop computers

- Windows 8, 10 tablets and mobile phones

- Android 4, 5, 6, 7, 8 tablets and mobile phones

- Apple iOS 9,10,11 tablets and mobile phones

 

If we activate EAP termination on the controller we have 2 types of results:

- EAP-MSCHAPv2 - none of the devices can succesfully login to the network (wich is true because the passwords are not stored using ntshah but SSHA)

- EAP-GTC - all the devices that are not running Windows can succesfully connect to the network.

 

If we do not use EAP termination then:

- All Windows 8, 10 laptops can connect to the network;

- Some Android devices can connect to the network (80%);

- Apple devices can connnect to the network after they download a specially created profile (available on the customer's extranet);

- Windows 7 devices and Windows 8 mobile devices cannot connect to the network.

 

I know that the simple solution is to use 3rd party supplicants but this is not possible. The amount of users is too high and the devices change frequently.

And they want to provide a seamless experience to the users and a simple login process that does not imply installing software on the device.

 

Any hints? Ideas? 

 

Best regards,

Alex

Guru Elite

Re: Aruba Controller + FreeRadius + OpenLDAP using SSHA

Your only realistic option is to deploy EAP-TLS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Aruba Controller + FreeRadius + OpenLDAP using SSHA

Ok.

But EAP-TLS uses both server and client certificates and that requires to setup a certification authority and generate 25k user certificates that need to be distributed and installed on the devices.

Practically impossible as the customer wants the acces to the wifi network to be as simple and as easy as possible.

Alex

Guru Elite

Re: Aruba Controller + FreeRadius + OpenLDAP using SSHA

It’s really the only option if you don’t want to deploy a custom supplicant.

Have you looked at Aruba ClearPass? Certificate enrollment is all wizard based for the end user.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: