Wireless Access

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

Dear Sir

Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

Would you please get me more into this? Thanks.


Regards
Original Message:
Sent: Jan 31, 2023 11:08 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

A BIG caution here.

To use AD user authentication, many people use WPA2-Enterprise security with EAP-PEAP-MSCHAPv2.

i understand from our Windows support team that they will be unable to upgrade to version 22H2until we move AWAY fro PEAP-MSCHAPv2 due to new Windows Credential Guard restrictions. EAP-TLS with certificates assigned to users is the preferred, more secure path. You can use AD credentials as a basis for assigning user certificates though.

​

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Feb 01, 2023 01:59 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dear Sir

Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

Would you please get me more into this? Thanks.


Regards
Original Message:
Sent: Jan 31, 2023 11:08 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

The issue with using AD passwords is that it is terribly hard to configure a device to no authenticate to a 'rogue network'. Which means that, unless you 100% control your client devices, you should consider the username and password-credential being leaked, and if someone has an AD username and password, that allows in many cases a good start to login to computers, webmail, VPN, etc. Here is an old video that explains it a bit more in technical detail.

Because of this, people now also have issues when users upgrade their Windows version, that authentication suddenly fails (response by bosborne) and there is a strong recommendation to move away from username/password for WiFi and VPN by Microsoft. Bottom-line, it's easier to deploy EAP-TLS with client certificates than you can securely deploy EAP-PEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 01, 2023 01:59 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dear Sir

Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

Would you please get me more into this? Thanks.


Regards
Original Message:
Sent: Jan 31, 2023 11:08 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

Wi-Fi password also can be leaked as same as AD username and password, and please note that I have MAC authentication so nobody can join my network from outside the list of allowed MAC addresses.
Original Message:
Sent: Feb 06, 2023 04:36 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

The issue with using AD passwords is that it is terribly hard to configure a device to no authenticate to a 'rogue network'. Which means that, unless you 100% control your client devices, you should consider the username and password-credential being leaked, and if someone has an AD username and password, that allows in many cases a good start to login to computers, webmail, VPN, etc. Here is an old video that explains it a bit more in technical detail.

Because of this, people now also have issues when users upgrade their Windows version, that authentication suddenly fails (response by bosborne) and there is a strong recommendation to move away from username/password for WiFi and VPN by Microsoft. Bottom-line, it's easier to deploy EAP-TLS with client certificates than you can securely deploy EAP-PEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 01, 2023 01:59 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dear Sir

Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

Would you please get me more into this? Thanks.


Regards
Original Message:
Sent: Jan 31, 2023 11:08 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

I just want to warn... the difference between leaking a WPA-PSK password and leaking AD credentials through EAP-PEAP is that with the WPA-PSK password there typically is no other access with the same password, and that the password is leaked through people. With EAP-PEAP-MSCHAPv2, a client device that is near a potential hostile AP will happily provide the credentials without the user being asked once the client sees the 'spoofed' SSID (or if they are asked, most will accept) and if those credentials are AD credentials, they may be used to crack the password and/or sign in to computers, VPNs, Webmail, unless there are other safeguards. And if an attacker captured the credentials, they have the client MAC address as well and MAC addresses are really simple to spoof. It's just something I would not want to take the risk, and I can't think of a security officer signing this off if you explain the risks. But, it's your (organization's) decision in the end.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 06, 2023 04:55 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Wi-Fi password also can be leaked as same as AD username and password, and please note that I have MAC authentication so nobody can join my network from outside the list of allowed MAC addresses.
Original Message:
Sent: Feb 06, 2023 04:36 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

The issue with using AD passwords is that it is terribly hard to configure a device to no authenticate to a 'rogue network'. Which means that, unless you 100% control your client devices, you should consider the username and password-credential being leaked, and if someone has an AD username and password, that allows in many cases a good start to login to computers, webmail, VPN, etc. Here is an old video that explains it a bit more in technical detail.

Because of this, people now also have issues when users upgrade their Windows version, that authentication suddenly fails (response by bosborne) and there is a strong recommendation to move away from username/password for WiFi and VPN by Microsoft. Bottom-line, it's easier to deploy EAP-TLS with client certificates than you can securely deploy EAP-PEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 01, 2023 01:59 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dear Sir

Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

Would you please get me more into this? Thanks.


Regards
Original Message:
Sent: Jan 31, 2023 11:08 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards

If by Wi-Fi password you mean WPA2-Personal pre-shared key, it is not considered secure for enterprise use anyway. That us why WPA2-Enterprise & WPA3-Enterprise exist for enterprise use.

WPA2-Personal has lower security suitable only for home use because it does not need the enterprise infrastructure required by the Enterprise encryptions.

------------------------------
Bruce Osborne ACCP ACMP
Liberty University

The views expressed here are my personal views and not those of my employer
------------------------------

Original Message:
Sent: Feb 06, 2023 04:55 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Wi-Fi password also can be leaked as same as AD username and password, and please note that I have MAC authentication so nobody can join my network from outside the list of allowed MAC addresses.
Original Message:
Sent: Feb 06, 2023 04:36 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

The issue with using AD passwords is that it is terribly hard to configure a device to no authenticate to a 'rogue network'. Which means that, unless you 100% control your client devices, you should consider the username and password-credential being leaked, and if someone has an AD username and password, that allows in many cases a good start to login to computers, webmail, VPN, etc. Here is an old video that explains it a bit more in technical detail.

Because of this, people now also have issues when users upgrade their Windows version, that authentication suddenly fails (response by bosborne) and there is a strong recommendation to move away from username/password for WiFi and VPN by Microsoft. Bottom-line, it's easier to deploy EAP-TLS with client certificates than you can securely deploy EAP-PEAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 01, 2023 01:59 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dear Sir

Thanks for your kind reply, I will watch your videos to learn new things about Aruba Networks.

What kind of weak security would I face, I think integrating Wi-Fi with AD would be more secure than a normal password, each employee has their own username and password.

Would you please get me more into this? Thanks.


Regards
Original Message:
Sent: Jan 31, 2023 11:08 AM
From: Herman Robers
Subject: Sync Wi-Fi authentication with Active Directory

That would be something where you would use a (RADIUS) Authentication server for. Here is my video series that explains how to do such a thing with Aruba ClearPass. And you should be really careful using AD passwords for WiFi access, as it is relatively hard to protect clients to not expose the username and password credentials.

I would really recommend to work with a good partner to get this designed, there are too many things that can go wrong and result in outages or weak security.

For university specific, you would probably have a look at eduroam; which seems available an many countries, maybe also in your.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 31, 2023 03:51 AM
From: rami.hajjiri
Subject: Sync Wi-Fi authentication with Active Directory

Dears

I want to know how to configure Wi-Fi authentication with Active Directory on windows server 2012 so employees can authenticate their username and password instead of normal Wi-Fi password.

I saw this technology used in a university which their Wi-Fi asks for username and password instead of asking only for a password, and students may join using their AD username and password.

Current Aruba Firmware: 8.11.0.1_85785 SSR (Digitally Signed - Production Build)

Regards