Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

local termination dot1x

This thread has been viewed 1 times

  • 1.  local termination dot1x

    Posted Nov 12, 2012 05:57 AM

    Hi, we have local termination enable on the controller for dot1x. We need to enforce machine auth so we need to turn local termination off.  The build engineer enabled it originally as the windows xp clients would not authenticate when it was switched off originally.  Once he enabled local termination the clients authenticated ok.  Can someone advise on why the clients may not be able to authenticate succesfully without local termination?

     

    thanks



  • 2.  RE: local termination dot1x

    EMPLOYEE
    Posted Nov 12, 2012 10:02 AM

    That is because your external radius server does not have a server certificate that your clients trust.  Please install a server certificate on your external radius server.

     

    http://community.arubanetworks.com/aruba/attachments/aruba/authentication-and-access-control/1390/1/Using+Microsoft+Windows+2008+Server+With+Aruba.pdf



  • 3.  RE: local termination dot1x

    Posted Nov 12, 2012 10:16 AM

    thanks for the reply, i didn't think we were required to use certificates?  are they mandatory if we don't want to use local termination?



  • 4.  RE: local termination dot1x
    Best Answer

    EMPLOYEE
    Posted Nov 12, 2012 11:55 AM

    Yes.  A single server certificate on your radius server is mandatory in your situation, yes.

     

     



  • 5.  RE: local termination dot1x

    Posted Nov 13, 2012 06:37 AM

    can i just check one more thing, sorry if i'm being a bit stupid here probably my lack of understanding.  Can you validate the following approach i'm going to take: -

     

    We will use a windows 2003 CA server to generate a certificate

    we will install this on the windows 2003 IAS server

    we will via group policy ensure the windows xp clients trust the windows 2003 CA

    we can then disable local termination on the controllers and hopefully machine authentication will now work?

     

    thanks



  • 6.  RE: local termination dot1x

    EMPLOYEE
    Posted Nov 13, 2012 06:42 AM
    @j_moss_home wrote:

    can i just check one more thing, sorry if i'm being a bit stupid here probably my lack of understanding.  Can you validate the following approach i'm going to take: -

     

    We will use a windows 2003 CA server to generate a certificate

    we will install this on the windows 2003 IAS server

    we will via group policy ensure the windows xp clients trust the windows 2003 CA

    we can then disable local termination on the controllers and hopefully machine authentication will now work?

     

    thanks

    It is slightly better than that:

     

    If your Windows 2003 Ca is an Enterprise CA (by default it is), clients will automatically trust the Windows CA.  The only gotcha is that they will trust it within the first Group Policy refresh period, so you might have to do a "gpupdate /force" on the commandline if those devices have not refreshed their grouop policy.

     

    You can then disable local termination and machine authentication should work, Yes.

     

    Please see the PDF in the post here:  http://community.arubanetworks.com/t5/Authentication-and-Access/Step-by-Step-How-to-Configure-Microsoft-IAS-Radius-Server-from/m-p/14391/highlight/true#M80 for detailed instructions.

     



  • 7.  RE: local termination dot1x

    Posted Nov 13, 2012 07:06 AM

    awesome, thanks for the quick response and your help!