Wireless Access

Hello everyone,

I am trying to configure 802.1x on AP-225 with a Radius server. AP can see the Radius and communicates with but doesn't match with wanted Radius policy.

AP version : 6.4.2.6-4.1.1.11

Here is my SSID conf:

Radius config :

Radius is a Windows server 2008 R2

My radius policy :

 -Condition :

 - constraint :

- attributes :

When i try to connect to SSID, i expect it to work with my radius policy but it work with default radius policy. So Radius ask for credentials while I wish it verifies the certificate of the machine.

Conditions are met :

 - Same station ID

 - good windows groups

 - goos NAS Port type

Anyone has an idea ? omission on radius or/and ssid config ?

PS: access logs on radius

You need to add an authentication of MsChapV2 or PEAP, instead of Smartcard or other certificate.

I want it to work with device certificate, not with authentication.

How does the device wireless profile look?

Did you already issue a certificate to your client?

The IAP configuration is agnostic to what is configured on your client and Radius Server.  What is configured on the radius server and the client must match.  The IAP configuration is straightforward.  Just make sure you are not enabling termination on the IAP radius configuration.  The client must have "smartcard or other certificate" configured and have a device certificate issued to it.  You have most of the messages blurred out, so it is hard to say what your problem is.

First, thanks a lot for help.

I had a problem with device wireless profile. It did user certificate instead of machine certificate.

I misspoke, it is not device certificate but machine certificate.

Now, i can see machine certificate in access logs of the Radius. But it still doesn't match with wanted policy. I think calling station ID condition is wrong, i put .:SSID_NAME$ like i do with Cisco AP but it's probably not the right syntax.

Or maybe it's a client/AP problem config, i will try to explain myself, now i have this in access logs :

 And i expect CalledStationID like this @MAC:<SSID_name>. That's probably why it doesn't match. Something missing on SSID configuration ?

Sorry for blurred message, i don't make company policy. What informations do u want to see ?

ps : hope you can't read my english :D

The @mac:SSID syntax is wrong.  Aruba Instant does not send that information as the username.  You should remove all of the rules and just get it to authenticate, first.  When you do that, you can then enforce rules.  If anything, you can just filter by the nas-ip, if you just want to make sure the Instant AP hits a specific rule first.

With only a condition on NAS ip, the AP hits a specific rule. But Radius refuses connection :

I am a bit lost with all explanation i find on google.

EDIT : coming from outdating certificate

The 262 error you are seeing usually means the client had an issue validating the RADIUS server certificate.    Try to disable the "Validate server certificate" on the client supplicant.  If you are able to authenticate at that point, you'll need to take a look at the certificate installed to the NPS server that is used on that NPS policy.      Likely reasons are that the client does not trust it or perhaps it is expired, etc.

Yes, as i said, server certificate was expired. I renew the certificate and now it works.

I will continue to configure to do what i want. Differents network policy for each SSID, one particular VLAN for each SSID. If i have problems, i would come back to you.

Thanks a lot for help.

great you solved it, next time use the AAA section for authorization questions please:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/bd-p/aaa-nac-guest-access-byod