Wireless Access

I'm having problem setting up authentication to Microsoft AD, I'm think of setting up ubuntu 11.10 server as a Radius server with freeradius.  I can't seem to find documentation on how to configure this. Any recommendations?

Did you do a search for Windows 2008 in the forums?  There is a guide there...

I'm new to airheads, feeling my way around.

I did the search, but not finding anything on Linux Ubuntu freeradius.

Hello,

I developed Aruba - Windows 2008 R2 radius authention system with 802.1X PEAP.

I tried the same research in technet.microsoft.com or msdn, but there was not a good document.

Here I am going to explain required steps for Windows 2008 R2 server:

1. On Active directory or any member server (server which joins in the domain) install Active Directory Certificate Services

   On Server Manager click Add Roles

   Click Next to continue

   Choose Active Directory Certificate Services and click Next

   Click Next to continue

   Click Certification Authority and click Next

   Click Enterprise and click Next (Note: You need Windows 2008 R2 Enterprise version to choose Enterprise. If you have Windows 2008 R2 standard, you can only choose standalone)

   Click Root CA and click Next

   Choose Create a new private key and click Next

    Keep dafault values (RSA#Microsoft Software Key Storage Provider 2048 , SHA1) and click Next

   Keep the common name as displayed and click Next

   Set Validity period (5 Years for CA) and click Next

   Keep default values and click Next

   Confirm the setting values and click Install.

2. On Active directory or any member server (server which joins in the domain) install Network Policy and Access Services

    On Server Manager scren click Add Roles

    Click Next to continue

    Click Network Policy and Access Services and click Next

    Click Next to continue

    Select Network Policy Server and click Next

    Click Install to install Network Policy and Access Services

    On Server Manager screen, open the left pane and click on NPS(Local). On Getting started screen, choose RADIUS server for 802.1X Wireless or Wired Connections and click Configure 802.1X

    Choose Secure Wireless Connctions. Leave default name "Secure Wireless Connections" and click Next.

    Click Add to add RADIUS client.

    On New RADIUS client screen, type in Wireless controller's friendly name and IP address. Click on Manual radio button and type in shared secret. Shared secret should match with Wireless controller. [NOTE: If you specify Loopback IP address on Aruba controller, but you should specify Interface IP address. For example, if your VLAN interface IP is 192.168.1.100 and Loopback(Controller IP) is 192.168.1.101, you still need to specify 192.168.1.100 here. You can confirm which IP address tries to speak to Windows 2008 R2 RADIUS by capturing Wireshark trace. Filter TCP 1812 packets to narrow capturing packets.

     Choose Microsoft PEAP. [Note: This article only mentions about PEAP. There is another EAP-TLS. ]

     Choose the certificate "servername.domainname". "domainname-servername-CA" is CA certificate and CA certificate cannot be used for 802.1X. If you only see CA certificate in the window, you need to create server certificate manually. This is Windows 2008 R2 known issue. Please refer to Windows Server Techcenter - Windows server forums - Network Access Protection - Having Issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2. Perform Mr. Greg Lindsay's step (Friday April 22, 2011 5:44pm) Try this:  to re-issue a certificate.

     Specify User Groups such as domainname\Domain Users. [Note: If user cannot be authenticated, you need to Allow each user's dial-in profile]

     Configure Traffic Controls - click Next.

     Click Finish to create NPS Policy.

     Aruba controller setting:

     Confuguration - Security - Authentication - Server Group and add new server group "Win2008"

     Configuration - Security - Authentication - Radius server and add new radius server "Win2008RADIUS"

     On Win2008RADIUS setting, type in Host IP (Windows 2008's IP address). Type key, which should match with Windows 2008's RADIUS client. Click Apply

     Go back to Server Group Win2008 and under Servers click New. Choose Win2008RADIUS and click Add Server. Click Apply.

     Now you can test RADIUS authentication. Diagonostics - Network - AAA Test Server - Choose Win2008RADIUS in the server name. Choose MSCHAPv2. Type in Windows Active Directory's user and password and click Begin Test. If test is successful, your RADIUS configuration is right. If you set Wireshark trace, you can observe Radius requet and Radius accept (TCP 1812) in the trace.

The AD is Windows 2003 server

If your server is Windows 2003 server, please refer to the article below.

This says windows 2000 server, but configuration steps are same with windows 2003 server.

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/Security/SettingupWindows2000Radiustoauthenticatewireless802.1xclients.html

Alternatively, Google "Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab" for a Microsoft guide. It's pretty easy.

Tricky bit is importing certificates on servers where it's already got SSL stuff running without breaking it!!!!

It took me blowing away 4 CentOS servers to get it running up to the point of creating a cert.  I used these web site in order to get it running.  Good luck.  

http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/

http://deployingradius.com/documents/configuration/active_directory.html

If you or someone can document the process into one.  Please let me know!!!!

Thanks everyone, We are just trying to connect the Aruba 3400 to the AD 2003 sever, first we tried LDAP which didn't work so now trying configuring Radius on the server.

LDAP is a bit out-dated for most purposes. Event log on AD server is your friend.

Worked with tech support yesterday, still not working.  He is analyzing tech dump.

Are you trying with 802.1x PEAP authentication?

Below is step by step guide.

1. First you need to confirm that RADIUS works fine between Windows 2003 AD and Aruba controller:

Diagonostics - Network - AAA Test Server - Choose windows server in the server name. Choose MSCHAPv2. Type in Windows Active Directory's user and password and click Begin Test. If test is successful, your RADIUS configuration is right. If you set Wireshark trace, you can observe Radius requet and Radius accept (TCP 1812) in the trace.

2. PC client had to be joined in the domain prior to the wireless connection.

Once the PC joined in the AD domain, CA certificate is automatically installed.

You can check if CA certificate is installed by Internet Explorer - Tools - Content - Certificates button.

If you can find CA certificate   domainname-servername-CA in Intermidiate CertificationAuthorities and Trusted Root Certification Authorities, the CAcertificate is already installed.

3. Network Connections - Wireless Network Connection - Wireless Networks Tab

Select SSID in the list and click Properties.

Association - WPA2 - AES

Authentication - PEAP (Default is smart card) Click Properties

If you want to connect anyway, unselect "Varidate Server Certificate"

I think above is enough to conenct using Windows 2003 PEAP.

You also need to go on to user's peoperty in the active directory and under the Dial-in tab, "Allow" dial-in connection.

Using domain user's userID and password, login the pc.

Connect Wireless.

If wireless icon says "Validating Identity" and does not connect, please check

(1) If Aruba and Windows 2003 RADIUS server's connection is ok. Try until Diagonostics - Network - AAA Test Server is ok.

(2) If Wireless property has smart card(EAP) instead of PEAP.

(3) Dial-in is "Allow"

Hope this helps.

---

@fguarner wrote:

Worked with tech support yesterday, still not working.  He is analyzing tech dump.

---

What is not working, and where are you stuck?

Appendix D in the ArubaOS user guide has step by step instructions on how to set it up with Windows 2003.  Maybe you can go over those and see if you have everything in place.

Windows 2003 IAS is loads easier to set up than 2008 NPS.

I found that almost any time I had an issue with the NPS set up it was certificate related.  What works for us is installing the IIS management console on the server we want to use for radius (and not installing IIS itself) and generating a CSR, sending it off to godaddy, and using that.  Once we started doing that I haven't had many issues with the certs.

You will have to use the certificates MMC, you can't just right click on the cert and select 'install'.  It will show up in the list of certs for NPS to use for EAP but it won't work.

I've seen these problems before with MS servers. Usually, if a reboot doesn't clear it, you need to try importing the cert again. If you can't choose it within the IAS/NPS drop down box (where you pick a cert), it means NPS doesn't think the certificate is fit for purpose (it needs to be marked for server and client auth purpose). If it shows it in the list, but it still doesn't work, look in the event logs. Most often, problems at this point are MS bug related. Pull out the event ID and Google it.

Cheers.