Wireless Access

Hi,

I got 1-2 question :

What is the difference between "Termination EAP-Type" and "Termination Inner EAP-Type". In witch way they interact with each other ?

We have a Radius Server. We want to have 2 way of authentification : User/Password (witch already working well) and certificate who validate that the device is a Compagny device. We already have each of our devices been delivered with a certificate when they first authenticate on the domain.

Is that possible to only validate the computer ? We don't want to use User/Password over a Certificate.

Hello

Answering your questions

EAP Termination on controller only the user authentication is passed to the radius server

EAP  Termination is good in situations where the raidus server is not local to the controller,  So the eap process and most of the traffic is terminate at the controller

This is normally used when the radius server is not local to the wireless controller for example you got the radius server in a datacenter in somewhere else and you got your controller in the central site.

For your second question let me explain you

There are 2 flavors of EAP

EAP  PEAP: This does a 2 way authentication, the client authenticate the server with a certificate, and the server authenticate the user with mschapv2(user and password)

The level of security here is high

EAP TLS: This does 2 way authentication, the client authenticate the server with the certificate, and the server authenticate the user with a certificate also. 

The lever of security here is VERY HIGH.

It is possible with aruba to use

EAP PEAP + Machine authentication

EAP TLS + Machine authentication

Machine authentication = it validates that the computer belongs to the AD group you select in the network policy rule on the NPS.

So you add another layer of security.

Now as far i understand you

You would like to use EAP TLS, but you will need to use a user certificate! not a machine certificate on your clients....

You will need a user certificates on the clients...

EAP PEAP is secure as long as you configure the clients correctly... if you dont then thats the problem.

Anyways if you want the highest security then implement EAP TLS

I dont know if this answer your question???

Very good awnser ! But there is more to clarify :)

For the Termination,, it's EAP type and Inner EAP type. What's is the difference between them ? I understand the standart on each line like EAP-PEAP or EAP-TLS.

But witch come first in the process ? Can I only choose one of both need to be configure ? It's hard to explain as english is not my primary language but I just can't find why one is "Inner" and not the other. :)

And with your explanation, it's more clear to me now. We were trying to authenticate a laptop with a certificate. Because there is local computer or local user certificates no ? With or corporate VPN (witch is not me who configurate it), we are able to authenticate device with a cert directly in the local computer store. No need to have a user/password.

So EAP-TLS is only for user/password auth with a certificate ? And for my need, i'll have to use EAP-PEAP with Machine Auth ?

Is there a tutorial for configuring Machine Auth correctly ?

Thanks for your time !

If you found my post helpful please kudo it and if it resolve your questions please click on accept as solution.

Answering your questions

For more information ill give you a link about this.  it has good information which will asnwer your first question i guess

http://community.arubanetworks.com/t5/Community-Knowledge-Base/EAP-The-Basics/ta-p/25380

You have to choose one, you cannot choose 2....

In your Pc clients you just can configure 1 you configure EAP PEAP  or EAP TLS you cannot configure both..

What you can do is  configure EAP PEAP + Machine Enforment + DHCP Enforment(if you use DHCP)

you can also configure EAP TLS + Machine Enforment + DHCP Enforment...

For example i did a deployment in a bank... for now we got EAP PEAP + Machine Enforment + DHCP Enforment  but we want to move it to EAP TLS + Machine Enforment + DHCP Enforment to increase security.

Now if you got  a internal Certificantion Authority, you can deploy to your users user Cetificates, for example if you do it manuall you will have to  request it on the mmc... or via web...you need to have the user template available for this.  If you do this then you will be able to deploy EAP TLS if not then you just can do EAP PEAP.

Now the certificate you are referring of the machine I THINK you mean the one that it appears when you click on EAP Protected properties on the list of trusted root certifiation... which is the thing that the computer use ot know if he can trust in that root.. which can be verisign or godaddy or in this case your internal root certification.

Here is a manual i made of how you should configure EAP PEAP Correctly

http://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/m-p/43398

im not an expert in PKI... i just know the basics... my manager is the one that is an expert in that! so i cannot give you too much info about it. sorry  

About how to configure the machine authentication well mmmm there is not a tutorial that i remenber of.... but in the next post ill try to expllain you.

Machine authentication

Let say you already configured correctly EAP PEAP , you ust got that working now lets add the machine enforment which is the machine authentication  to add another layer of security

1-You go to the NPS console.

2-You go to network Security policies

3-Add a new network security policy, you add the computer group you want that get access(for example previus to all this you will need to create a group called for example WLANMachines on Active directory and put all the machines that are allow in the WLAN)

4-You click next next next finish.

5-you put that rule int he first place in the second place you place the network policy of EAP PEAP you created(they need to be on separated policies

6-You go to the wireless controller go to configuration go to security then aaa profile you go to the profile you using on your ssid then you go to the 802.1x profile inside it and click on the checkmark of enforce machine

7-On machine authentication default role and user role use a deny all role on it as you dont want they get any access to anywhere after JUST machine authenticate.... they will need to authenticate also via EAP PEAP before granting access.

Note: you will only be able to authenticate machines when you log in or log off windows...

If you try to do this when you logged and then you try to connect to the network you will be not able to... you need to log off then log in and it should work....

Hope this helps.. if its not working you will have to wait a bit... im not at home so i got no ssl access to my remote lab to check everything... im tellingyou out of my mind... how to configure it.

BTW whats your native language? mine is spanish...

Cheers

Carlos

French, from Quebec :)

So I want to go step by step. Only with EAP-PEAP :

I did the configuration on my NPS. Here is a screenshot on test laptop :

So I found out with your procedure that I need to check "Do not promt user to authorize ... " If we don't, the user can only press "continue" on a prompt saying that the certificate is not validated. But with continue option, the connection is made correctly... This is my first question. I'm right ?

After that, if I left the field "Connect to these servers" not checked, with no Trusted Root check, it work...

Then : "Connect to these servers" check with the field blank and no Trusted Root check, it prompt me that it cannot connect to the network.

And finally if i do it like my screenshot, with the name of the server with no Trusted Root, it work... There is something that i don't get... In witch case it won't work if the client is enable to authenticate the serveur with a certified root ?

And what happen if a none user of our compagny try to connect to that network ? If he doesn't have the "Validate server certificate" check, will he be able to connect if he have the right credentials ?

Here is my thought :

If "Validate server certificate" is uncheck, he souldn't be able to connect.

If the box is check, then he should have the right Trusted root check to validate the server. If he doesn't have it, he shouldn't be able to connect.

Am I understand the utility of EAP-PEAP right ?

Or all that stuff should only be validated by Machine Auth ?

Found it !!

**bleep** god... As I said, I remove the Trusted Root certificate from my laptop test and I was still able to connect. But I found that the certificate what somewhere else too. In MMC :

Console Root

  Certificates - Local Computer

      Trusted Root Certification Authorities : Previously deleted the Cert here.

      Intermediate Certification Authorities : There was still our certificate here !

Now it work like a charm :

-When I remove the cert, nothing work exept uncheck the "Validate server certificate".

-When I add it, it work again. The only thing is that I don't need to check my Trusted Root Cert in the list. Is that normal ?

Hello

Let answer your questions

when you select checkbox Donot prompt user to authorize new servers or trusted root certifcate, If you enable this option, the user is not presented with the UI that may be difficult for the user to understand. Therefore, the user cannot select an unapproved root certification authority.

Now ill give you another link where i read some interesting stuff about this, check this out

http://support.microsoft.com/kb/941123

Your other question was

When I add it, it work again. The only thing is that I don't need to check my Trusted Root Cert in the list. Is that normal

Well I bealive that when you do not select any he search in all the root certs you got in the list.. if one applies then he uses that one but it better to specify it...

Now i recommend you to apply this via group policy and that the user cannot change that...

Now you doing all this is because to boost the security in your eap peap config... attackers get in with misconfigured EAP PEAP...

To make it work you don tneed to select a server or anythingl like that but then the EAP PEAP is misconfigured and then a man in the middle attack can be launched.

Anyways how i didnt miss answering any of your questions.

Cheers

Carlos

It's me again !

I have now some problems with the Machine Authentification.

Currently on trying to made it work only with M-Auth (for testing purpose). Here is the log that i got from the command :show auth-tracebuf count x

Nov  1 10:52:37  station-up             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    wpa2 aes

Nov  1 10:52:37  m-auth req             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:37  m-auth resp            *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    failed

Nov  1 10:52:37  wpa2-key1             <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   117

Nov  1 10:52:37  eap-start             ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:37  eap-id-req            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   5

Nov  1 10:52:37  eap-id-resp           ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   29   host/P-3676.sh.cima.plus

Nov  1 10:52:37  rad-req               ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  10  236

Nov  1 10:52:37  rad-reject            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9/Corpo-Radius-SH  10  44

Nov  1 10:52:37  eap-failure           <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   4    server rejected

Nov  1 10:52:37  station-down           *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:48  station-up             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -    wpa2 aes

Nov  1 10:52:48  m-auth req             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -

Nov  1 10:52:48  m-auth resp            *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -    failed

Nov  1 10:52:48  wpa2-key1             <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   117

Nov  1 10:52:48  eap-start             ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -

Nov  1 10:52:48  eap-id-req            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  2   5

Nov  1 10:52:48  eap-id-resp           ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  2   29   host/P-3676.sh.cima.plus

Nov  1 10:52:48  rad-req               ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  11  236

Nov  1 10:52:48  rad-reject            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1/Corpo-Radius-SH  11  44

Nov  1 10:52:48  eap-failure           <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  2   4    server rejected

Nov  1 10:52:48  station-down           *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -

Nov  1 10:52:58  station-up             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    wpa2 aes

Nov  1 10:52:58  m-auth req             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:58  m-auth resp            *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    failed

Nov  1 10:52:58  wpa2-key1             <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   117

Nov  1 10:52:58  eap-start             ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:58  eap-id-req            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   5

Nov  1 10:52:58  eap-id-resp           ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   29   host/P-3676.sh.cima.plus

Nov  1 10:52:58  rad-req               ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  12  236

Nov  1 10:52:58  rad-reject            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9/Corpo-Radius-SH  12  44

Nov  1 10:52:58  eap-failure           <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   4    server rejected

Nov  1 10:52:58  station-down           *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Before a start to explain how I configure everything, is there someting easy to spot ?

Thanks.

Okay

How did you configure the machine authentication?

What policies you got on your NPS? on your network policy rules?

Its really easy to configure... i have got it working in some clients though...

Can you tell me what you got on your network policy rules?  on the different tabs of the rule?

Do you have it on another policy before the one that authenticate with EAP PEAP? remenber they need to be on different network policy rules they cannot be in the same rule

Sorry for not answering before... i did saw your message but i was busy at that ttime but then forgot to asnwer you hehe my bad...

No problem for answering time :)

The more I see about Machine Auth, the more we wont want to use it. The Login/Logoff is not really practical. And the thought that the Wireless need to autoconnect when the network is at proximity.... But I want to make I work once.

On Radius (Network policy):

-Only one policy, I'm trying to make it work only with Machine Auth. I don't want to use to many card at once. In the policy, added a "computer group". In that group, of course I had the computer that I want to Authenticate.

On Controller :

-Check the Enforce Machine Auth.

On the Computer :

- "User or Computer Auth". I even tried "Computer Auth" only. 

-Certificates on my computer in the local computer personnal store.

As you say, it seem really easy to configure. But I just can't see what's going wrong...

Can you see the radius logs

What error message you got inthere?

Here is the log from Radius who match my previous post with Controller log :

Why did it use "UserName" and not "MachineName" ?

The name match : P-3676.

And the FullyQualifiedSubjectUserName too.

Look for the computer account in the domain and ensure that "allow dialin" is enabled.  That is why it is failing.

When a computer authenticates, it uses its name as the username for incoming radius traffic.  If you want to allow devices that do computer authentication on your network, you need to configure your radius policy at minimum to allow the Windows Group "Domain Computers", because that group has all the Computers as "users" that you want to allow.

When I first saw the Dial-In error past a couple of day, I tried to find it but was unable to do it. Then one server guy told me that the option might be removed for Windows 2008 Server R2...

Then I call someone else today and he told the problem come from my use of the Administrative tools for Win7. The tab "Dial-In" just don't show... On a Domain Controler, we saw it and realize of course that the Dial-In was not enable -_- .....

Now I see the log on Radius telling me that the Machine Authenticate.

How can I block the process of Authenticate when there is no Machine Auth. Because currently :

-I deleted my local computer cert and restart. After the log in process, im on the network with no problem... Radius seem to get only the User Auth and not the Machine.

-Same thing when I'm already log in. I disconnect from the network, and when I reconnect, he only use my User. Not the Machine. I know that it only work when log in and log off the session, but should it block me because he can't Authenticate the Machine ?

No the dial up option you wont see it if you using RSAT... happened to  a client of us...

I told him that he need to remote desktop or something like that and well in his case the option was set properly

Here are some KBs i send him

http://support.microsoft.com/kb/975448

http://support.microsoft.com/kb/837490

If you make it work the machine authentication, and then you deleted the machine... you will still be able to connect becasue you willl see the entry on the local database on the controller... for 24 hours...

this option is avalaible because imaging that the user have to log in log off always? its set to 24 hours so that the user just do that int he morming and he does not need to do it again in the day...

Ok it was one of our concern ! The fact that the user have to log-off/log in each time he want to go on the Wifi. It's not the case because of the 24 hour in the local database ?

I found the checkbox in Radius to ignore the Dial-In ... -_-. I'll try to test it.

But my problem now is even if the Machine Auth failed, it work with the User Auth... I want the Machine to be validated each time to have the right to connect. But currently it's not the case...

In order in my Network security :

Machine Auth Policy.

User Auth Policy.

It's like he doesn't stop the process if step 1 fail...

This is how i got it configured and works perfectly

i got 2 Network policy rules

1-Machine authentication rule

2-User rule with Derivation option

On the Controller i got when it authenticate whenever pass i put it deny because i want that not only that authentication to work...

So when it machine authenticate it get a role of deny all

Then it user authenticate if it sucessful it override that deny role with the derived role im getting from my nps...

In my case if i delete the user from the group then he will just machine authenticate and he willl get a deny all role...

He need to authenticate with machine and also with the user...

If the machine is not in the group then he wont even connect...

This is how i put it... i never tried it alone to be honest... but it should work....

I get want you explain, but maybe not the derivation part. I know the mean of deny all for Machine Only and then Allow access when the user authenticate.

But maybe it will be more clear with that :

Imagine that my computer is currently login for several minutes.

I want to log on the wifi.

Then I'm able to connect without the Machine been Auth...

What's the matter to have a Machine Auth if I can log in, then try the wireless Auth and it work perfectly without Machine Auth ?

My question to you

where you able to log in successfully with machine authentication Once? or never?

Yes.

But even if the Machine have no rights im able to log in ....

PC1:

User Certificate

Computer Certificate

In the computer group for Machine Access

PC2 :

User Certificate

Computer Certificate

NOT In the computer group for Machine Access

-Restart both PC.

-User log in prompt. Im waiting 30 sec for the Machine Auth.

-On Radius log: PC1 Machine Auth success.

-On Radius log: PC2 Machine Auth fail.

-PC1 after log in : Access granted to the Wifi. .

-PC2 after log in : Access granted to the Wifi. ------------> Why ??

Well like i told you

IF the PC2 already authenticate just once

It will save that machine on the local databse of the controller for 24 hours.... no matter if you delete it from the group, he will still have access for 24 hours...

Does this answer your question or im confused getting your question?

PC2 never Machine Auth before.

It's like the condition are not "And" but "Or"

Machine Auth.

or

User Auth.

the condition is AND when you use 2 rules

Like the example i gave you in my scenario

1-Rule1 for the Machine authentication

2-Rule2 for the user authenticaiton

If you set both int he same rule then it will work as OR not as AND

Anyways i read your previws post and there is something weird happening i mean if yougot the network policies i mean 2 network policies

ones for the machine

and the other for the user authetnication

If the pc never authenticated it should stop on the first one

Did you check that the machine authentication checkbox is applied on the correct AAA profile?

i mean like i said this is weird becasue as far i see you got it like i have it and well mine is working fine.... in fact i got this on a few clients and its working just fine.... the last one i installed it he brings some other devices to see if the machine authentication was really working and well it was.

we would need to go deeper to see whats happening... but for now its kind of hard for me to troulbleshoot with you as im on a airwave course right now.

Maybe someone else can help you today... if not ill try to help you some other day with this...

First of all, Radius :

#It's the property of Machine Auth. We see that I use CIMA\Ordinateur WIFI for my computer group.

#Here for User. CIMA\WIFI-CIMA as my user group.

After a log-in / log-off on PC2 (the one who never access via Machine Auth cause is not in the "Ordinateur-WIFI" group), here is Radius log. 2 entries for Machine and 2 for User Auth.

#Access is denied (Échec) for the Machine Auth.

#Then access is granted for User (Succès)

Don't worry NightShade1 I know you do your best !

its like the user is overriting the machine one....

Can you try putting on the machine default role and the other one i don tremenber a role of Deny all

Create a new role and put in it Deny all to all firewall policy...

So on the wireless controller put on the default role of machine authentication Deny and in the other one which is down of that deny role also to see

When you doing it check on the wirleess controller on client

it should be when you logged off domian\machine name

When you log in it should put you on the deny role

If you don tsee it and you see that the role is the one of the user somehow its overriting what the machine authentication its telling

it....

---

guillaume.royer@cima.ca wrote:

First of all, Radius :

 

 

 

#It's the property of Machine Auth. We see that I use CIMA\Ordinateur WIFI for my computer group.

 

 

#Here for User. CIMA\WIFI-CIMA as my user group.

 

 

 

After a log-in / log-off on PC2 (the one who never access via Machine Auth cause is not in the "Ordinateur-WIFI" group), here is Radius log. 2 entries for Machine and 2 for User Auth.

 

 

 

 

#Access is denied (Échec) for the Machine Auth.

 

 

 

#Then access is granted for User (Succès)

 

Don't worry NightShade1 I know you do your best !

 

 

 

 

 

 

 

 

 

 

 

 

---

So,

The "computer" is just another account in AD.  If you are having problems authenticating, go all the way to the bottom of the eventviewer message to see in details why it would not connect.

The computer is not connecting because he's not in the group for computer access. And it's normal.

What I want to point out is the fact that the Machine Auth failed, but the User one work well...

I don't want the User Auth to work when the Machine Auth first fail....

Here is a situation before doing what you want me to do :

PC2 (The one who never Machine Auth and has no right to do )

It's at Windows log on.

#At 13:46:35 = Server rejected. It's Radius who said that my computer is not allowed.

##At 13:47:34 = The User Auth doing automaticly after my session open. See that at "m-auth resp", we have "failed".

###After that, im on the wireless with a connection. All seem normal...

It seem that we have 2 way to validate Machine Auth ? It try with : eap-id-resp = host/P-1687.sh.cima.plus. And we have "m-auth-req"...

Now for PC1. The one who have all the access.

#Here is the Machine-Auth. All seems ok. Se the following screenshot for the client on controller :

#We see that the Machine Auth seem to work well. It apply "denyall".

Then 1-2 minutes after, I enter my credential to log on with my username.

#And after for the client on controller :

Tell me if that's stuff is enough to help !

Do you see computer A and computer B mac addreses on the Local database?

Give it a check!

On NPS there is an option to ignore dialin attribute.  Not sure exactly where it is...

The machien authentication just happen when you log off and log on.. try logging off and logging on

Check that on the Wilress controller on the local database you see your computer mac in there,

When you try to connnect how do you see the client if it appear on the controoler?

does it appear like domain\machinename ?