https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6873755#M4853 <P>Been reading the documentation, but I must admit that I find it quite hard to understand in detail.</P><P>I have been taking over the administration of a MSM760 - originally it has been set up to validate clients on a Novell server through an external Radius server.</P><P>This has been causing a lot of issues on certain clients (mainly HP laptops) not wanting to authenticate unless you manually create a WiFi connetion and disable the certificate validation.</P><P>I have been taking it as being a Novell issue, but now after changing authentication to Active Directory, I see the exact same thing. Furthermore users now complain about being promted a certificate with the name "Dummy certificate". Nothing that I have been creating, but I managed to find a certificate under "Security", "Certificate Stores" carrying the name "Dummy Certificate". Current usage for this is "RADIUS EAP".</P><P>I do not understand the connection from this RADIUS EAP and the Active Directory validation, because what I did was to create a new VSC with generally the same settings as on the Novell validation VSC... execpt chosing "Active Directory" under Remote Authentication in the 802.1X group. Plus of coarse adding the MSM760 to our AD.</P><P>I works in many of the cases... but I would like it to work flawless and automatically with all clients. What is the best approach to connect MSM760 to AD and let clients authenticate against this?</P><P>Regards,m Lars.</P> Wed, 29 Jun 2016 13:35:25 GMT hpbon 2016-06-29T13:35:25Z https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6873755#M4853 <P>Been reading the documentation, but I must admit that I find it quite hard to understand in detail.</P><P>I have been taking over the administration of a MSM760 - originally it has been set up to validate clients on a Novell server through an external Radius server.</P><P>This has been causing a lot of issues on certain clients (mainly HP laptops) not wanting to authenticate unless you manually create a WiFi connetion and disable the certificate validation.</P><P>I have been taking it as being a Novell issue, but now after changing authentication to Active Directory, I see the exact same thing. Furthermore users now complain about being promted a certificate with the name "Dummy certificate". Nothing that I have been creating, but I managed to find a certificate under "Security", "Certificate Stores" carrying the name "Dummy Certificate". Current usage for this is "RADIUS EAP".</P><P>I do not understand the connection from this RADIUS EAP and the Active Directory validation, because what I did was to create a new VSC with generally the same settings as on the Novell validation VSC... execpt chosing "Active Directory" under Remote Authentication in the 802.1X group. Plus of coarse adding the MSM760 to our AD.</P><P>I works in many of the cases... but I would like it to work flawless and automatically with all clients. What is the best approach to connect MSM760 to AD and let clients authenticate against this?</P><P>Regards,m Lars.</P> Wed, 29 Jun 2016 13:35:25 GMT https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6873755#M4853 hpbon 2016-06-29T13:35:25Z https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6874657#M4855 <P>Ok, by trial and error I think that I now understand a bit of it.</P><P>took a certificate from out webserver, uploaded it to the certificate store, and iPhones are now getting this certificate displayed on connect. iPhones are asked to approve the certificate. Android just connects without any promts.</P><P>Some windows clients connects without problems - others will fail unless you manually create the wifi network, edit it and deselect the "validate server certificate" option.</P><P>The certificate is valid. It has been issued by a trusted&nbsp;authority.. Then name of the certificate belongs to a server with another IP address though..</P><P>How can I let every connecting client act like an android: just connecting without certificate approvement or manual wifi creation?</P><P>Regards, Lars.</P><P>&nbsp;</P> Fri, 01 Jul 2016 13:26:33 GMT https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6874657#M4855 hpbon 2016-07-01T13:26:33Z https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6875054#M4856 <P>Hi Lars,</P><P>The radius + MSM760 can be a headache.</P><P>The way radius is configured will decide how the connection authentication will work. EAP-TLS will require a certificate on the server and on the device. EAP-TTLS will require a certificate only on the server. Radius can also be set to always require a certificate or not, before it authenticates your device. I use EAP-TTLS + PAP with a wildcard certificate (valid for all *.domain.com servers).</P><P>Android by default does not require a certificate while apple devices do. Set Windows devices to use "Any valid certificate" because they mostly have the CA public keys installed already. Apple will accept them as well.</P><P>You can use EAP-PEAP+MSCHAP to allow devices to connect without profiles. This works for apple stuff too.</P><P>Good luck</P> Mon, 04 Jul 2016 09:23:13 GMT https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6875054#M4856 CraigS1971 2016-07-04T09:23:13Z https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6875072#M4857 <P>Hi Craig... and thank you for your comment... yes, it is giving me quite much of a headache...</P><P>I just want the MSM760 to validate users agains out Active Directory.&nbsp;</P><P>Where to set the EAP-PEAP+MSCHAP?</P><P>Under Authentication, Radius Server I have got:</P><P><SPAN class="label">PAP <I>(Required to support MAC-based authentication in VSCs)</I></SPAN> <IMG src="https://190.200.10.20/img/v1437166706/space.gif" border="0" alt="" width="1" height="4" /> <SPAN class="label">&nbsp;&nbsp;<I>To support WPA/802.1X clients you must select at least </I><BR />&nbsp;&nbsp;<I>one of the following:</I></SPAN> <SPAN class="label">EAP-TTLS</SPAN> <SPAN class="label">EAP-PEAPv0</SPAN> <SPAN class="label">EAP-TLS</SPAN> <SPAN class="label">FIPS compliant operation</SPAN></P><P>&nbsp;</P><P>Regards, Lars.</P> Mon, 04 Jul 2016 10:43:53 GMT https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6875072#M4857 hpbon 2016-07-04T10:43:53Z https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6875091#M4858 <P>Hi Lars,</P><P>I just left mine all enabled and had to get our Packetfence NAC vendor to configure the radius server due to the complexity of our system.</P><P>I could send you some config files but they may confuse more than help.</P><P>You need to check files like:<BR />/etc/raddb/ or /usr/local/etc/raddb (Depending how you installed radius)</P><P>eap.conf<BR />./sites-enabled/default<BR />./sites-enabled/inner-tunnel</P><P>This may help more: <A href="https://www.eduroam.us/node/89" target="_blank">https://www.eduroam.us/node/89</A><BR /><BR /></P><P>&nbsp;</P> Mon, 04 Jul 2016 12:18:19 GMT https://community.hpe.com/t5/m-and-msm-series/msm760-and-validation-users-against-ad-radius/m-p/6875091#M4858 CraigS1971 2016-07-04T12:18:19Z