Wireless Access

Reply
MVP

PEAP Configuration with Controller as the Authentication server

Hello Experts, 

 

I have created a VAP profile with WPA2-AES & EAP type as PEAP. I need to have simple password/username based authentication. The problem I am facing is after supplying the credentials, the users are struck in connecting. Appears the users are trying to validate the server certificate. 

How can we manage to have a successful client association in this case?

User authentication.PNG

Below is the WLC configuration:

(WLC_0001) #show aaa profile Local-dot1x-aaaProfile-Test

AAA Profile "Local-dot1x-aaaProfile-Test"
-----------------------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile Local-Dot1x-Test
802.1X Authentication Default Role guest
802.1X Authentication Server Group internal
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

 

(WLC_0001) #show wlan virtual-ap VAP-TEST

Virtual AP profile "VAP-TEST"
----------------------------------
Parameter Value
--------- -----
AAA Profile Local-dot1x-aaaProfile-Test
802.11K Profile default
Hotspot 2.0 Profile N/A
SSID Profile SSID-TEST
Virtual AP enable Enabled
VLAN 231
Forward mode bridge
Allowed band all
Band Steering Disabled
Cellular handoff assist Disabled
Steering Mode prefer-5ghz
Dynamic Multicast Optimization (DMO) Disabled
Dynamic Multicast Optimization (DMO) Threshold 6
Drop Broadcast and Unknown Multicast Disabled
Convert Broadcast ARP requests to unicast Enabled
Authentication Failure Blacklist Time 3600 sec
Blacklist Time 3600 sec
Deny inter user traffic Disabled
Deny time range N/A
DoS Prevention Disabled
HA Discovery on-association Enabled
Mobile IP Enabled
Preserve Client VLAN Disabled
Remote-AP Operation standard
Station Blacklisting Enabled
Strict Compliance Disabled
VLAN Mobility Disabled
WAN Operation mode always
FDB Update on Assoc Disabled
WMM Traffic Management Profile N/A
Anyspot profile N/A

 

dot1x authentication profile.PNG

(WLC_0001) #show wlan ssid-profile SSID-TEST

SSID Profile "SSID-TEST"
------------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID SSID-TEST
Encryption wpa2-aes
Enable Management Frame Protection Disabled
Require Management Frame Protection Disabled
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Enabled
WMM TSPEC Min Inactivity Interval 0 msec
Override DSCP mappings for WMM clients Disabled
DSCP mapping for WMM voice AC (0-63) N/A
DSCP mapping for WMM video AC (0-63) N/A
DSCP mapping for WMM best-effort AC (0-63) N/A
DSCP mapping for WMM background AC (0-63) N/A
Multiple Tx Replay Counters Disabled
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Auth Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 N/A
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
WPA Passphrase ********
Maximum Transmit Failures 0
EDCA Parameters Station profile N/A
EDCA Parameters AP profile N/A
BC/MC Rate Optimization Disabled
Rate Optimization for delivering EAPOL frames Enabled
Strict Spectralink Voice Protocol (SVP) Disabled
High-throughput SSID Profile default
802.11g Beacon Rate default
802.11a Beacon Rate default
Video Multicast Rate Optimization default
Advertise QBSS Load IE Disabled
Advertise Location Info Disabled
Advertise AP Name Disabled
802.11r Profile N/A
Enforce user vlan for open stations Disabled
Enable OKC Enabled

Guru Elite

Re: PEAP Configuration with Controller as the Authentication server

You would have to uncheck "Validate Server Certificate" if the client does not have the controller's self-signed certificate in their Trusted Certificate Store (by default they do not).  You really should upload your own Server Certificate to the controller that your Users trust and have that server certificate be selected in the 802.1x profile.

 

An easier test would be to use a mobile device to connect first.  Windows is more unforgiving of untrusted certificates.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: PEAP Configuration with Controller as the Authentication server

Why aren't you using a RADIUS server?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: PEAP Configuration with Controller as the Authentication server

Hi Tim, 

 

Thanks for the response. 

Yep. My plan is to gradually integrate it with ISE. Please let me know if using Wireless Controller as the "Authentication Server" instead of a dedicated Radius/TACACS may have some ramifications.

MVP

Re: PEAP Configuration with Controller as the Authentication server

As always, thanks Joseph for your educative and helpful posts. 

 

I am quite new to the concepts of certificates. Below is the defination from Microsoft.

On a computer that has the Windows operating system installed, the operating system stores a certificate locally on the computer in a storage location called the certificate store. A certificate store often has numerous certificates, possibly issued from a number of different certification authorities (CAs).

Each of the system certificate stores has the following types:

  1. Local machine certificate store
    This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.
  2. Current user certificate store
    This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

So for my client to successfully authenticate, the WLC should have a certificate that is already existing in the client's certificate store?

 

Below are amongst the licenses that I saw on my window's client certificate store(Comodo ,IdenTrust ,Symantec , Verisign, Microsoft, GoDaddy ,GlobalSign ,DigiCert ,Certum ,Entrust ,Secom ,Actalis ....), will installing certificate from any of these listed CA's on controller help in clients validating the server certificate?

Will installing the certificate on controller comes with a cost?

CLient certificates.PNGCertificates seen on Windows 10 client

Guru Elite

Re: PEAP Configuration with Controller as the Authentication server

Do you already having a working 802.1x network, or is this a lab?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
MVP

Re: PEAP Configuration with Controller as the Authentication server

Thanks Joseph for the response. 

 

My network so far have SSIDs with WPA2-PSKs only. This is the new test SSID that I am trying out in the production environment for EAP type as PEAP. 
As suggested by you:

i) Will try on mobile devices and

ii) Also on windows machines by unchecking the "verfiy the server's identity by validating the certificate" and will be sharing the results.

However unchecking the "verfiy server's identity" would be quite cumbersome process as when the SSID is moved to production, it would be required to be done on each windows machine. 

Could you also please help in clarifying the below queries:

1) Will just by installing a certificate from well-known CA on the controller help in relieving of the additional task of manually "uncheking the sever's certificate" option on windows machines?

2) Based on the configuration that I have on my controller, the security type has to be "WPA2-Enterprise" & Encryption as "AES"?


Uncheck client cert.PNG

 

 

 

 

Guru Elite

Re: PEAP Configuration with Controller as the Authentication server

If you want to ease your migration to production, you should use a Windows NPS server (free, unlike ISE).  Instructions are here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113  

 

If you have usernames and passwords on the controller, you must upload the server certificate to the controller, so I would use NPS, instead.

 

Installing a server certificate from a CA that your client trusts will avoid having to uncheck Validate, yes.  Preferably, it is a server certificate from the domain that the clients are already in..

 

WPA2 Enterprise is what is needed, yes.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
MVP

Re: PEAP Configuration with Controller as the Authentication server

Thanks Joseph for your responses. It helped alot.

 

I can associate fine the mobile devices (Andriod/IOS). 

As highlighted by you earlier, "Windows is more unforgiving of untrusted certificates" :). Have to manually create the profile and uncheck the "Verify the server's identity by validating the certificate" for windows client.

 

Andriod.png

Guru Elite

Re: PEAP Configuration with Controller as the Authentication server

If these are Windows Domain computers, the wireless settings (and the Validate Setting) can be configured via group policy.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: