Wireless Access

IAP authentication method for Captive portal or 802.1x which one should i choose on Microsoft RADIUS server? I have attached the screen capture. My customer now use Windodws 2008 server. I did try to multiple selection but the fail to login. I'm sure that IAP VC (virtual controller) able communicate with the Microsoft RADIUS server because their is no error message on failure communicate with Microsoft RADIUS server.

What i know is Captive Portal authentication on the Microsoft RADIUS server have to choose PAP or SPAP, right?

Please advise.

Attachment(s)

Authentication Method.docx   79 KB 1 version

start read some info here:

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/External%20RADIUS%20Server.htm

In RADIUS server setup, be sure to put the "NAS IP Address" as the VC IP address, and

In Advanced tab enable "Dynamic RADIUS Proxy"

this link will assist you in the radius side:

Step-by-Step: How to Configure Microsoft NPS 2008 Radius Server from Scratch

http://community.arubanetworks.com/aruba/attachments/aruba/115/6113/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf

more info:

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Aruba-and-Windows-2008-NPS-issue/m-p/34609/highlight/true#M3312

more info (with youtube movies and examples in front of ClearPass):

http://community.arubanetworks.com/t5/Read-Only-Archive-Airheads/How-to-authenticate-on-IAP-using-external-captive-portal-and/td-p/87032

I did try choose the EAP-MSCHAP v2 on the Windows RADIUS server for 802.1x authentication but fail to authenticate. 

Please advise.

Can u screenshot or copy paster the failure ( security log ) on the radius side please.

did you follow the steps in the first document kdisc98 pointed to?

trying to build NPS policies (you need both a good Connection Request Policy and Network Policy) from scratch is tricky, better to go through the wizzard. once the basic works you can continue strip things you dont want, but the wizzard should give you something that works.

once it still fails it is indeed time to head for the windows event viewer and look for NPS events in the security section, these should be able to point you to the problem.

Hi kdisc98,

Below is the error message from the NPS server:

" A Radius messages was received from the invalid radius client IP address 10.64.108.125."

10.64.108.125 ip address is the physical Aruba IAP 105 ip address. VC ip address is 10.64.108.130.

On the NPS server i already put 10.64.108.130 as a RADIUS client.

Please advise.

It's seems your Radius - dosent recgozine the iap..did u configrue it right? with nas ip/id as needed? (on the radius side)

I only specify "NAS Port Type : Wireless IEEE 802.11 OR Wireless - Other" under "Network Policies".

I did add the 10.64.108.130 ip address at "RADIUS Client" and "Connection Request Policies".

I'm on my way to one of my clients right now (Waze - Google)

If you would like,later on I will land at me office lab - and I will be able to help via teamviewer/ammy/logmein/rdp or whatever you would like - I will take a look with with on all the configuration - and try to assist you.

My skype is: asa_2plus.

For the meantime.

Have a gr8 day.

Me

Ok. Can, thanks. Rougly need to wait for how many minutes. Because now i'm client site troubleshoot this problem. I think they going back in about 45 minutes start now on.

my skype ID: jordontin

---

@jordontin wrote:

Hi kdisc98,

 

Below is the error message from the NPS server:

 

" A Radius messages was received from the invalid radius client IP address 10.64.108.125."

 

10.64.108.125 ip address is the physical Aruba IAP 105 ip address. VC ip address is 10.64.108.130.

 

On the NPS server i already put 10.64.108.130 as a RADIUS client.

 

Please advise.

---

that is your problem, you can configure 10.64.108.130 as the radius client but if the request comes from 10.64.108.125 it wont work. so either add 10.64.108.125 as radius client or configure your IAP to use the VC address, that should be setting: "Dynamic RADIUS Proxy" at advanced settings.