M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

MSM760 and validation users against AD/Radius

 
Highlighted
hpbon
Advisor

MSM760 and validation users against AD/Radius

Been reading the documentation, but I must admit that I find it quite hard to understand in detail.

I have been taking over the administration of a MSM760 - originally it has been set up to validate clients on a Novell server through an external Radius server.

This has been causing a lot of issues on certain clients (mainly HP laptops) not wanting to authenticate unless you manually create a WiFi connetion and disable the certificate validation.

I have been taking it as being a Novell issue, but now after changing authentication to Active Directory, I see the exact same thing. Furthermore users now complain about being promted a certificate with the name "Dummy certificate". Nothing that I have been creating, but I managed to find a certificate under "Security", "Certificate Stores" carrying the name "Dummy Certificate". Current usage for this is "RADIUS EAP".

I do not understand the connection from this RADIUS EAP and the Active Directory validation, because what I did was to create a new VSC with generally the same settings as on the Novell validation VSC... execpt chosing "Active Directory" under Remote Authentication in the 802.1X group. Plus of coarse adding the MSM760 to our AD.

I works in many of the cases... but I would like it to work flawless and automatically with all clients. What is the best approach to connect MSM760 to AD and let clients authenticate against this?

Regards,m Lars.

4 REPLIES 4
Highlighted
hpbon
Advisor

Re: MSM760 and validation users against AD/Radius

Ok, by trial and error I think that I now understand a bit of it.

took a certificate from out webserver, uploaded it to the certificate store, and iPhones are now getting this certificate displayed on connect. iPhones are asked to approve the certificate. Android just connects without any promts.

Some windows clients connects without problems - others will fail unless you manually create the wifi network, edit it and deselect the "validate server certificate" option.

The certificate is valid. It has been issued by a trusted authority.. Then name of the certificate belongs to a server with another IP address though..

How can I let every connecting client act like an android: just connecting without certificate approvement or manual wifi creation?

Regards, Lars.

 

Highlighted
CraigS1971
Valued Contributor

Re: MSM760 and validation users against AD/Radius

Hi Lars,

The radius + MSM760 can be a headache.

The way radius is configured will decide how the connection authentication will work. EAP-TLS will require a certificate on the server and on the device. EAP-TTLS will require a certificate only on the server. Radius can also be set to always require a certificate or not, before it authenticates your device. I use EAP-TTLS + PAP with a wildcard certificate (valid for all *.domain.com servers).

Android by default does not require a certificate while apple devices do. Set Windows devices to use "Any valid certificate" because they mostly have the CA public keys installed already. Apple will accept them as well.

You can use EAP-PEAP+MSCHAP to allow devices to connect without profiles. This works for apple stuff too.

Good luck

Highlighted
hpbon
Advisor

Re: MSM760 and validation users against AD/Radius

Hi Craig... and thank you for your comment... yes, it is giving me quite much of a headache...

I just want the MSM760 to validate users agains out Active Directory. 

Where to set the EAP-PEAP+MSCHAP?

Under Authentication, Radius Server I have got:

PAP (Required to support MAC-based authentication in VSCs)   To support WPA/802.1X clients you must select at least
  one of the following:
EAP-TTLS EAP-PEAPv0 EAP-TLS FIPS compliant operation

 

Regards, Lars.

Highlighted
CraigS1971
Valued Contributor

Re: MSM760 and validation users against AD/Radius

Hi Lars,

I just left mine all enabled and had to get our Packetfence NAC vendor to configure the radius server due to the complexity of our system.

I could send you some config files but they may confuse more than help.

You need to check files like:
/etc/raddb/ or /usr/local/etc/raddb (Depending how you installed radius)

eap.conf
./sites-enabled/default
./sites-enabled/inner-tunnel

This may help more: https://www.eduroam.us/node/89