Wireless Access

im working on a scenario were i need radius server fail through. configured two different radius servers in a server group and turned on fail through. for some reason the gui acted up so i tried to configure it via the cli and got this message:

(Aruba650-TestLab) (Server Group "nps-test_srvgrp-fto67") #allow-fail-through
Info : Failthrough cant happen for dot1x without termination

 this confused me as in this thread it is mentioned termination isn't required. so what is the deal, do i need to terminate on the controller or not?

The anwer is yes.

Fail through would only be useful if the radius servers authenticate users in different databases.  If both radius severs point to the same domain, however, it would force the second server to process the same failed authentication, increasing authentication time.  

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-614

thank you cjoseph, if possible could that be added in the knowledgebase article? after i checked again the user guide certainly mentions it.

in this scenario im working with two different radius sources (databases) so fail through seems the way to go. but if termination is required then i will have to look into configuring that first.

im not a 100% sure about my termination configuration. how would i set it up with two normal radius servers in the server group? will eventhough it is terminated on the controller the content of the request be forwarded to the radius server in the server group? how does the controller handle the certificate send by the radius server, does it trust any certificate?

Just the authentication is forwarded to the radius server.  The controller handles the EAP portion of the request.  All your clients in both domains need to trust the CA of the Controller's server certificate or the Controller Server Certificate specifically.

that is clear cjoseph.

all this unfortunately doesnt bring me closer to my goal. i have a scenario where there in an old CA and a new CA and i want to for a while provide access for both on a single SSID without having to make changes on the clients.

is there for the server side any other way then to also load the old CA root cert on the new devices and keep using the server cert from the old CA until all old clients are gone and then switch?

and for the client side, is it possible to trust two CAs in the dot1x termination profile? i tried to put two root certs in a single file and load it but the controller only sees the first it seems, the principle of a bundle is misssing for me.

On the client side, if you have "Validate Server Certificate" checked, you would only have to have the Root Cert for the Server Certificate on the Controller in that list.  You could also easily distribute the CA cert to that trust list via group policy... http://technet.microsoft.com/en-us/library/cc738131(v=WS.10).aspx

sorry i meant server / client side on the controller.

with termination the aruba controller acts as the radius server for the wireless client, but as radius client towards the actual radius server right?

so what server certificate does it accept from the actual radius server? any or do i need to import the root CA of that server certificate?

and where the aruba controller acts as radius server, it accepts client certificates from the configured CA in the dot1x profile (with termination) right? is it possible to allow multiple CAs somehow?

---

@boneyard wrote:

sorry i meant server / client side on the controller.

 

with termination the aruba controller acts as the radius server for the wireless client, but as radius client towards the actual radius server right?  With termination on, the Aruba Controller does  the EAP termination and passes the radius authentication onto the radius server.  The only difference in than in a regular setup is that the controller presents the radius server certificate to the client (oversimplifying of course).

 

so what server certificate does it accept from the actual radius server? any or do i need to import the root CA of that server certificate?  The radius server does not participate in the certificate process when termination is on.  The controller presents its uploaded or factory radius server certificate to the client.

 

and where the aruba controller acts as radius server, it accepts client certificates from the configured CA in the dot1x profile (with termination) right? is it possible to allow multiple CAs somehow?  It is not possible to allow multiple CAs

---

You would do termination to move the computationally resource intensive process of EAP termination from the radius server to the controller.  You would also do this to provide fail-through for multiple radius servers.  The drawback of termination is that devices do not pass machine authentication when termination is enabled.  Please see the thread here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1262

Please also see questions answered about Fail-Through and termination here:  http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Radius-Fail-through-and-802-1x-Machine-Authentication/m-p/12186#M478

thanks again cjospeh i believe i now know almost all there is to know about termination i believe :)

was able to handle my scenario within NPS and not needing termination.

I'd like to know what the termination properties would need to be set to in order to get this setup as well. We actually had one of our NPS servers' certificates expire, thus stopped processing authentication requests, and did not fall back to the other server. Load balance was turned on, but only a hand ful of users were able to reauthenticate. So I cannot say I completely agree with this statement.

If you have two servers, both authenticating to the same sets of users, that is not the application for fail-through.  Fail-through only goes to the second server if the first radius server rejects the user (bad username and password).  If the user is doing EAP-PEAP and the certificate on the radius server is wrong, that is not a  server reject: that is the client rejecting the radius server.  In that scenario, the client will just terminate the connection and the second radius server will not be tried.

Load balance also does not apply in that scenario because as long as a radius sever is in service, the controller will continue to authenticate the user with the radius server that they first authenticated with.