Wireless Access

Hi team, me again.

My problem here is that,I need to configure the controller (Aruba 800) to permit the users login into the company domain without intervention of them.
Is any way to perform this task with a minimal installation of extra soft in the users PC´s.
I could install an LDAP server authentication but I installed the APT-GTC plugin to permit me use this kind of authentication.
Reading the documentation I found that I can use a RADIUS server and install certificates in the controller and users' PC´s.

A year ago a similar scheme was installed in the controller and the users, used WPA & TKIP for authentication (this is all the info I´ve got), but the old company erased all the configurations and we are using a password authentication scheme

I need the users does not type their credentials and the controller should recongnize taht the users belongs to the domain.

Sorry for my english, if you need to more info I will try to explain better!

You need to move away from LDAP and the GTC plugin.  It is only for users who must use LDAP.  Computers that use Active Directory do not need to do that.

The ArubaOS user guide in the back appendix says how to install both the server and client side on Windows to support radius.  Their method will allow domain machines to login without intervention.  If you have Windows 2003 server, check out the post here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M6112

cjoseph

thanks again for your help! I will check the info you've send me!

Regards.

I generally learn towards IAS or NPS in the  MS Server itself. It's a direct tie in to AD groups and windows supports EAP and MSChap natively. There is also a WZC (windows zero config) tool on our support site somewhere that can help with setting up the windows clients for 802.1x. LDAP is so limited and like you said, you need to load IGTC clients to use LDAP.

Team, can I implement a RADIUS scheme over a windows 2008 server?

I mean, the porceess to set up the services are the same?

Absolutely. Yes. I believe in 2008 it is regarded as NPS, and is simply the Radius front end to Active Directory. We have a document somewhere that outlines the steps to set up NPS in Server 2008.

search for this:

Step-by-Step: How to Configure Microsoft NPS 2008 Radius Serverfrom Scratch

and you'll find that document for setting up NPS 2008.

Thanks very much team! I'm going to check that!

Hi team..me again!

Sorry for the delayed answer. I could install a RADIUS server on a Win 2003 server. I tested the connection to the RADIUS via

Diagnostic ---> AAA Test Server

and I could test it in a succesfull way (but only in PAP authentication method ¿is this ok?).

I could not loggin myself to the wireless network. When I try to logging I can see a message in the wireless network list which says:

Validating identity

Security-enabled wireless network (WPA2)

How can I trace the error? I think I have a missconfigured item or something that I do not perform but I dont know where.

Your remote access policy on the IAS server needs to have MsCHAPv2 enabled, in addition to pap.

After you do that, your AAA test server should work.  MsChapv2 is what clients use to connect and needs to be enabled in the remote access policy.

cjoseph, the configuration in the IAS is already done.

But I still can't loggin.

also, From the Diagnostic ---> AAA Test Server, The test went wrong with MSCHAPv2 authentication method.

Well, you need to look in the eventviewer on IAS in System and see why it is failing.  That will tell you exactly why things are not going right.

cjoseph

I can see this logs from 2003 event viewer server

User jhon doe was denied access.
 Fully-Qualified-User-Name = ********************************************
 NAS-IP-Address = xx.xx.xx.xx
 NAS-Identifier = <not present>
 Called-Station-Identifier = 000B86524250
 Calling-Station-Identifier = 000000000000
 Client-Friendly-Name = arcorwac001
 Client-IP-Address = xx.xx.xx.xx

NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Aruba User
 Authentication-Type = MS-CHAPv2
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

I do not understan if the error is in te 2003 server or in the client who wants to loggin

Okay,  I would try unchecking "Validate Server Certificate" in the Client Configuration.

Hi cjoseph, I tryed without "Validate Server Certificate" and still I can't connect. I tryed with different networks authentications and data encryption, WPA2-TKIP and WPA-TKIP (I thought at some point that was the problem) and still nothing. I think my problem is the RADIUS config. I can't perform the Diagnostic --- AAA Test Server with MSCHAPv2 authentication method in a succesfully way. Yesterday I could find some other messages from the Event Viewer:

Could not retrieve the Remote Access Server's certificate due to the  following error: Cannot find object or property.

Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user apex\crespima. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

So I think I should aim to the RADIUS first.

mcrespillo, did you follow the step-by-step guide for setting this up?  There is one on this website and another in the appendix in the user guide.  

Also, only use WPA2-AES, because 802.11n cannot work with TKIP.

well, I'm not the Domain Controllers sysadmin, I downloaded the info you gave me and I gave it to our sysadmin. I will talk to him nad will try to follow the steps one by one again and try to resolve de issue. Do you think the problem is there? also I followed the issue with our Aruba provider and as he could check, everything is ok in the Aruba side.

About the 802.11n, we do not use this protocol, so its ok.

cjoseph, I could resolve the RADIUS problem, now I can test in sucefully way the AAA test server with MSCHAPv2. My problem now is that I have this message in the Debug Process Log window:

|authmgr| |aaa| RADIUS server APEXRadius-10.30.5.13-1812 timeout for client=00:1b:77:30:c0:77 auth method 802.1x

why I have this message if I could connect successfully egainst the RADIUS in the controller?

Once again, check the eventviewer to see if the radius server is even receiving the radius authentication request.

From the event viewer I have this messages:

Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user apex\crespima. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

Could not retrieve the Remote Access Server's certificate due to the  following error: Cannot find object or property.

Access request for user APEX\crespima was discarded.
 Fully-Qualified-User-Name = apex.local/AR/COR4/APEX/Admin/Marco Crespillo
 NAS-IP-Address = xx.yy.zz.qqq
 NAS-Identifier = xx.yy.zz.qqq
 Called-Station-Identifier = 000B86524250
 Calling-Station-Identifier = 001B7730C077
 Client-Friendly-Name = ArubaController800
 Client-IP-Address = zz.xx.vv.rrr
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Reason-Code = 23
 Reason = Unexpected error. Possible error in server or client configuration.

this all 3 messagges repeats everytime I try to loggin.

You should add PEAP to the Remote access policy on the radius server, even if you don't have a certificate.  Also make sure you have 802.1x termination on in the 802.1x profile on the controller.  Make sure your client is also configured with PEAP.

GREAT!!!!! it is working now cjoseph!!!!!

Thanks very much for your help. I just activate the 802.1x termination on the controller and started to works!

Thanks again for your help!

Glad we could finally get it to work!