- Community Home
- >
- Networking
- >
- Wireless
- >
- M and MSM Series
- >
- Re: MSM760 and validation users against AD/Radius
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-29-2016 06:35 AM
тАО06-29-2016 06:35 AM
MSM760 and validation users against AD/Radius
Been reading the documentation, but I must admit that I find it quite hard to understand in detail.
I have been taking over the administration of a MSM760 - originally it has been set up to validate clients on a Novell server through an external Radius server.
This has been causing a lot of issues on certain clients (mainly HP laptops) not wanting to authenticate unless you manually create a WiFi connetion and disable the certificate validation.
I have been taking it as being a Novell issue, but now after changing authentication to Active Directory, I see the exact same thing. Furthermore users now complain about being promted a certificate with the name "Dummy certificate". Nothing that I have been creating, but I managed to find a certificate under "Security", "Certificate Stores" carrying the name "Dummy Certificate". Current usage for this is "RADIUS EAP".
I do not understand the connection from this RADIUS EAP and the Active Directory validation, because what I did was to create a new VSC with generally the same settings as on the Novell validation VSC... execpt chosing "Active Directory" under Remote Authentication in the 802.1X group. Plus of coarse adding the MSM760 to our AD.
I works in many of the cases... but I would like it to work flawless and automatically with all clients. What is the best approach to connect MSM760 to AD and let clients authenticate against this?
Regards,m Lars.
- Tags:
- MSM760 AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-01-2016 06:25 AM - edited тАО07-01-2016 06:26 AM
тАО07-01-2016 06:25 AM - edited тАО07-01-2016 06:26 AM
Re: MSM760 and validation users against AD/Radius
Ok, by trial and error I think that I now understand a bit of it.
took a certificate from out webserver, uploaded it to the certificate store, and iPhones are now getting this certificate displayed on connect. iPhones are asked to approve the certificate. Android just connects without any promts.
Some windows clients connects without problems - others will fail unless you manually create the wifi network, edit it and deselect the "validate server certificate" option.
The certificate is valid. It has been issued by a trusted authority.. Then name of the certificate belongs to a server with another IP address though..
How can I let every connecting client act like an android: just connecting without certificate approvement or manual wifi creation?
Regards, Lars.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-04-2016 02:23 AM
тАО07-04-2016 02:23 AM
Re: MSM760 and validation users against AD/Radius
Hi Lars,
The radius + MSM760 can be a headache.
The way radius is configured will decide how the connection authentication will work. EAP-TLS will require a certificate on the server and on the device. EAP-TTLS will require a certificate only on the server. Radius can also be set to always require a certificate or not, before it authenticates your device. I use EAP-TTLS + PAP with a wildcard certificate (valid for all *.domain.com servers).
Android by default does not require a certificate while apple devices do. Set Windows devices to use "Any valid certificate" because they mostly have the CA public keys installed already. Apple will accept them as well.
You can use EAP-PEAP+MSCHAP to allow devices to connect without profiles. This works for apple stuff too.
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-04-2016 03:43 AM
тАО07-04-2016 03:43 AM
Re: MSM760 and validation users against AD/Radius
Hi Craig... and thank you for your comment... yes, it is giving me quite much of a headache...
I just want the MSM760 to validate users agains out Active Directory.
Where to set the EAP-PEAP+MSCHAP?
Under Authentication, Radius Server I have got:
PAP (Required to support MAC-based authentication in VSCs) To support WPA/802.1X clients you must select at least
one of the following: EAP-TTLS EAP-PEAPv0 EAP-TLS FIPS compliant operation
Regards, Lars.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-04-2016 05:18 AM
тАО07-04-2016 05:18 AM
Re: MSM760 and validation users against AD/Radius
Hi Lars,
I just left mine all enabled and had to get our Packetfence NAC vendor to configure the radius server due to the complexity of our system.
I could send you some config files but they may confuse more than help.
You need to check files like:
/etc/raddb/ or /usr/local/etc/raddb (Depending how you installed radius)
eap.conf
./sites-enabled/default
./sites-enabled/inner-tunnel
This may help more: https://www.eduroam.us/node/89