Wireless Access

Hello Experts, 

I have created a VAP profile with WPA2-AES & EAP type as PEAP. I need to have simple password/username based authentication. The problem I am facing is after supplying the credentials, the users are struck in connecting. Appears the users are trying to validate the server certificate. 

How can we manage to have a successful client association in this case?

Below is the WLC configuration:

(WLC_0001) #show aaa profile Local-dot1x-aaaProfile-Test

AAA Profile "Local-dot1x-aaaProfile-Test"
-----------------------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile Local-Dot1x-Test
802.1X Authentication Default Role guest
802.1X Authentication Server Group internal
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

(WLC_0001) #show wlan virtual-ap VAP-TEST

Virtual AP profile "VAP-TEST"
----------------------------------
Parameter Value
--------- -----
AAA Profile Local-dot1x-aaaProfile-Test
802.11K Profile default
Hotspot 2.0 Profile N/A
SSID Profile SSID-TEST
Virtual AP enable Enabled
VLAN 231
Forward mode bridge
Allowed band all
Band Steering Disabled
Cellular handoff assist Disabled
Steering Mode prefer-5ghz
Dynamic Multicast Optimization (DMO) Disabled
Dynamic Multicast Optimization (DMO) Threshold 6
Drop Broadcast and Unknown Multicast Disabled
Convert Broadcast ARP requests to unicast Enabled
Authentication Failure Blacklist Time 3600 sec
Blacklist Time 3600 sec
Deny inter user traffic Disabled
Deny time range N/A
DoS Prevention Disabled
HA Discovery on-association Enabled
Mobile IP Enabled
Preserve Client VLAN Disabled
Remote-AP Operation standard
Station Blacklisting Enabled
Strict Compliance Disabled
VLAN Mobility Disabled
WAN Operation mode always
FDB Update on Assoc Disabled
WMM Traffic Management Profile N/A
Anyspot profile N/A

(WLC_0001) #show wlan ssid-profile SSID-TEST

SSID Profile "SSID-TEST"
------------------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID SSID-TEST
Encryption wpa2-aes
Enable Management Frame Protection Disabled
Require Management Frame Protection Disabled
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 8
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
Wireless Multimedia U-APSD (WMM-UAPSD) Powersave Enabled
WMM TSPEC Min Inactivity Interval 0 msec
Override DSCP mappings for WMM clients Disabled
DSCP mapping for WMM voice AC (0-63) N/A
DSCP mapping for WMM video AC (0-63) N/A
DSCP mapping for WMM best-effort AC (0-63) N/A
DSCP mapping for WMM background AC (0-63) N/A
Multiple Tx Replay Counters Disabled
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Request Threshold (dB) 0
Auth Request Threshold (dB) 0
Disable Probe Retry Enabled
Battery Boost Disabled
WEP Key 1 N/A
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
WPA Passphrase ********
Maximum Transmit Failures 0
EDCA Parameters Station profile N/A
EDCA Parameters AP profile N/A
BC/MC Rate Optimization Disabled
Rate Optimization for delivering EAPOL frames Enabled
Strict Spectralink Voice Protocol (SVP) Disabled
High-throughput SSID Profile default
802.11g Beacon Rate default
802.11a Beacon Rate default
Video Multicast Rate Optimization default
Advertise QBSS Load IE Disabled
Advertise Location Info Disabled
Advertise AP Name Disabled
802.11r Profile N/A
Enforce user vlan for open stations Disabled
Enable OKC Enabled

You would have to uncheck "Validate Server Certificate" if the client does not have the controller's self-signed certificate in their Trusted Certificate Store (by default they do not).  You really should upload your own Server Certificate to the controller that your Users trust and have that server certificate be selected in the 802.1x profile.

An easier test would be to use a mobile device to connect first.  Windows is more unforgiving of untrusted certificates.

Why aren't you using a RADIUS server?

Hi Tim, 

Thanks for the response. 

Yep. My plan is to gradually integrate it with ISE. Please let me know if using Wireless Controller as the "Authentication Server" instead of a dedicated Radius/TACACS may have some ramifications.

As always, thanks Joseph for your educative and helpful posts. 

I am quite new to the concepts of certificates. Below is the defination from Microsoft.

On a computer that has the Windows operating system installed, the operating system stores a certificate locally on the computer in a storage location called the certificate store. A certificate store often has numerous certificates, possibly issued from a number of different certification authorities (CAs).

Each of the system certificate stores has the following types:

1. Local machine certificate store
   This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.
2. Current user certificate store
   This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.

So for my client to successfully authenticate, the WLC should have a certificate that is already existing in the client's certificate store?

Below are amongst the licenses that I saw on my window's client certificate store(Comodo ,IdenTrust ,Symantec , Verisign, Microsoft, GoDaddy ,GlobalSign ,DigiCert ,Certum ,Entrust ,Secom ,Actalis ....), will installing certificate from any of these listed CA's on controller help in clients validating the server certificate?

Will installing the certificate on controller comes with a cost?

Certificates seen on Windows 10 client

Do you already having a working 802.1x network, or is this a lab?

Thanks Joseph for the response. 

My network so far have SSIDs with WPA2-PSKs only. This is the new test SSID that I am trying out in the production environment for EAP type as PEAP. 
As suggested by you:

i) Will try on mobile devices and

ii) Also on windows machines by unchecking the "verfiy the server's identity by validating the certificate" and will be sharing the results.

However unchecking the "verfiy server's identity" would be quite cumbersome process as when the SSID is moved to production, it would be required to be done on each windows machine. 

Could you also please help in clarifying the below queries:

1) Will just by installing a certificate from well-known CA on the controller help in relieving of the additional task of manually "uncheking the sever's certificate" option on windows machines?

2) Based on the configuration that I have on my controller, the security type has to be "WPA2-Enterprise" & Encryption as "AES"?

If you want to ease your migration to production, you should use a Windows NPS server (free, unlike ISE).  Instructions are here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113  

If you have usernames and passwords on the controller, you must upload the server certificate to the controller, so I would use NPS, instead.

Installing a server certificate from a CA that your client trusts will avoid having to uncheck Validate, yes.  Preferably, it is a server certificate from the domain that the clients are already in..

WPA2 Enterprise is what is needed, yes.

Thanks Joseph for your responses. It helped alot.

I can associate fine the mobile devices (Andriod/IOS). 

As highlighted by you earlier, "Windows is more unforgiving of untrusted certificates" :). Have to manually create the profile and uncheck the "Verify the server's identity by validating the certificate" for windows client.

If these are Windows Domain computers, the wireless settings (and the Validate Setting) can be configured via group policy.

Unchecking validate server certificate puts all of your user's credentials at risk. I would recommend working with your ClearPass partner to properly deploy a secure environment.

Thanks Tim, Noted.

Under Termination EAP-Type option, we can enable both EAP types: TLS & PEAP. 

With this shall we be able to support both termination  types on the same SSID? 

My preference in EAP-TLS, however their are certain client types on which enabling EAP-TLS would be lot more complicated in my deployment, so far these device type I would want to have them authencticate via EAP-PEAP but on the same SSID.

Apart from the possiblity, what is the recommendation?

The recommendation is to disable termination and do the EAP-PEAP/TLS on your own radius server, because it is much more flexible.  You also cannot do machine authentication with termination in most circumstances, who that is another reason to not use termination on the controller.

Termination on the controller was from way back in the day when having or installing a radius server was costly or prohibitive.  If you already have a Microsoft shop, each server comes with a free NPS server which will do what you need.  Detailed instructions for installing NPS are here: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113