• September 18, 2020, 03:56:57 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Unable to configure external Radius authentication  (Read 11771 times)

0 Members and 1 Guest are viewing this topic.

Offline eroberge

  • Rookie
  • **
  • Posts: 6
Unable to configure external Radius authentication
« on: April 11, 2014, 01:05:05 PM »
Hi,

I am trying to configure external radius configuration on my Motorola RFS4000 v5.4.2 controller, to a Windows 2008r2 server with Active Directory.
I did use openssl to create my CA and self signed certificate, uploaded the certificates to controller and windows server.
I did configure the Radius client and the network policies according to the supplier. Not very sure that this was all correct though because they don't seem very reliable. But that's the way they always do it they say.


I created a wifi "thevco-radius" and assigned to it a AAA policy "gsie-radius".

When trying to connect to the wifi, I get the following events:
=====================================================
Client '3C-E0-72-53-76-28' timeout attempting 802.1x/EAP authentication on wlan 'thevco-radius' radio 'AP650-06:R1'
Client '3C-E0-72-53-76-28' disassociated from wlan 'thevco-radius' radio 'AP650-06:R1': eap handshake timeout (reason code:23)
=====================================================

Attached is my controller's config "rfs4000-badRadius-config.txt"

I did searched for external radius configuration but didn't find anything that match my setup.


Thanks for your help


Offline McNulty

  • Sr. Member
  • ****
  • Posts: 217
Re: Unable to configure external Radius authentication
« Reply #1 on: April 11, 2014, 08:33:54 PM »
There could be any number of obstacles between your RFS and the authentication server, such as firewall rules, ACLs and even Windows firewall on the server. Then check the same thing for the return path.

Sometimes the server needs to be set up to specifically allow requests from certain hosts. You also might have an error in the credentials.

First thing I would check is: Can you get any logs from the radius server? Did it ever receive the radius request? If yes, check the radius config and then the return path. If no, check the network path.

One thing I noticed about your RFS config is that your WLAN is using AAA and also using a captive portal policy which also uses a different AAA. So essentially you are trying to use 2 AAA policies on one WLAN. Not sure if that will work.

P.S. you have a spelling mistake on your captive portal web page (there/their) :)

Offline hchen01

  • Full Member
  • ***
  • Posts: 73
Re: Unable to configure external Radius authentication
« Reply #2 on: April 12, 2014, 05:44:37 AM »
If you are using the external Radius server, you do not install the certificates, just create the AAA policy under WLAN, set the IP address / hostname of the Radius server (windows 2008), and select the AAA policy in the WLAN profile.

On the Radius server(windows server 2008), you need to add the IP address of the WLC and do some configuration.

If you are using the WLC as the Radius server, and Windows 2008 as the LDAP (user credential), you need to install the certificates.

and create the AAA policy using controller as the radius server (on board)

Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: Unable to configure external Radius authentication
« Reply #3 on: April 12, 2014, 03:55:01 PM »
well, my one and only question is: what you really are trying to achieve. Without any details I wont be able to help.

Offline eroberge

  • Rookie
  • **
  • Posts: 6
Re: Unable to configure external Radius authentication
« Reply #4 on: April 15, 2014, 09:35:56 PM »
Thank you very much Sirs for you help.

My final goal is to use my active directory from the Windows Server 2008 to authenticate users on WiFi
From my readings, to achieve this, I must install and use the Radius server/role on the Windows Server.
Then, configure a way to authenticate the Motorola Controller, so that it can use the Active Directory.

I will check tomorrow at work for logs but from what I remember, authentication was reaching the WinServer.
But in the meantime, could you tell me what is the preferred way to achieve this ?
   a. Windows server with AD and RADIUS
   b. Motorola controller with RADIUS, connected to AD on the Windows Server ?

Is it possible to have captive portal AND external RADIUS authentication ?

Offline McNulty

  • Sr. Member
  • ****
  • Posts: 217
Re: Unable to configure external Radius authentication
« Reply #5 on: April 16, 2014, 05:17:16 AM »
Is it possible to have captive portal AND external RADIUS authentication ?

Yes, you can have the captive portal screen so that it contains a username and password field.
Then the RFS looks up this information on the radius server.

Check this document for good information:

http://www.michaelfmcnamara.com/files/motorola/WiNG5_Captive_Portal_Design_Guide_June_2011.pdf

Offline eroberge

  • Rookie
  • **
  • Posts: 6
Re: Unable to configure external Radius authentication
« Reply #6 on: April 16, 2014, 09:53:03 AM »
In fact, the captive portal is for guest users, and the radius authentication would be for employes. I want employes to be automatically authenticated on the network with their domain user

Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: Unable to configure external Radius authentication
« Reply #7 on: April 16, 2014, 10:23:46 AM »
Try setting up captive portal as fallback authentication.
Also you might want to encrypt your network (ccmp, as its strongest at this point and is supported by .11n). Right now you have it open with eap authentication.. Hardly makes any sense.
Which EAP method is being used? Peap? EAP TLS?
If its PEAP-MSCHAPv2, then go for 5.5.x firmware, use internal radius and ldap-agent, so the controller would join the domain and authenticate users against Microsoft  Active Directory, prior to 5.5.0 it was not possible by using internal RADIUS on RFS.

Offline eroberge

  • Rookie
  • **
  • Posts: 6
Re: Unable to configure external Radius authentication
« Reply #8 on: April 16, 2014, 02:18:53 PM »
Indeed. There is no encryption. I wanted to let everything open until I can make it work, and then, tighten those settings.
I thought using EXTERNAL radius auth would give me more possibilities and a central point of user management. Is it better to go with internal radius ?
What is the recommended way to do it ?
I didn't find any doc that explain the difference/pros/cons of using internal/external.  Cand anyone provide me one
And a doc on "HowTo external radius" ?


On Win Server, In my network policies:
  - Condition: NAS Port Type: Wireless - Other OR Wireless IEEE 802.11
  - Auth Provider: Local Computer
  - Extensible Authentication Protocol Method is "Microsoft: Protected EAP"
  - Authentication Method: EAP
  - Override Authentication: Enabled


Now being at the office, I can test and see in the "Network Policy and Access Services" logs that the request does not event reach the radius.
But when using the following command on the controller, I can reach the radius and get authentication, and see loggin info in the "Network Policy and Access Services"
   "service radius test dc.domain.com ocrtest user password"

So somehow, when passing through an AP, the request does not reach the external radius server. ?
In my RADIUS authentication settings, should I "Request Proxy Mode" through Wireless controller or none or RF domain manager?

As you can see, I am pretty much confused now.

thanks again

Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: Unable to configure external Radius authentication
« Reply #9 on: April 17, 2014, 10:11:03 AM »
You should define RADIUS clients on your NPS. If you configured only RFS as a client, then inside AAA policy you have to specify proxy mode "through controller", if you want each AP to send queries directly, then leave it as " none ", but be aware that each AP should be configured as RADIUS client on NPS as well.. I don't see any use for " through-rfdm", as domain managers are mostly dynamic anyway.

Offline eroberge

  • Rookie
  • **
  • Posts: 6
Re: Unable to configure external Radius authentication
« Reply #10 on: April 27, 2014, 02:59:50 PM »
It makes sens to authenticate through the controller. Thanks for confirming.
The NPS won't accept more than one remote IP address or a IP range. So I have not choice to pass through the controller

Did Motorola write a doc about how to use their external radius auth ??

Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: Unable to configure external Radius authentication
« Reply #11 on: April 27, 2014, 03:33:30 PM »
hmm, why should Moto write a doc on how to configure a Microsoft product?:) sometimes they do, but I would not expect that.

external radius authentication 99% relies on external product config (NPS + AD + CA in Microsoft case), the only thing you should add is aaa-policy on the controller, and map it to the wlan, it is pretty straightforward.

Offline eroberge

  • Rookie
  • **
  • Posts: 6
Re: Unable to configure external Radius authentication
« Reply #12 on: April 29, 2014, 07:41:25 AM »
mmm right makes sens again.
But is there any special configuration to do on APs ?
Any idea why I see no log in windows when connecting to APs, while I see some when testing on controller with command line ?

Offline noobie

  • Full Member
  • ***
  • Posts: 92
Re: Unable to configure external Radius authentication
« Reply #13 on: April 30, 2014, 11:43:40 AM »
if you have a controller, then you dont need any special config on the AP side.

Sample cfg would be:
!
aaa-policy extEAP
 authentication server 1 host <ip address> secret <radius shared secret>
 authentication server 1 proxy-mode through-controller
!
wlan <wlan name>
 ssid <ssid name>
 vlan <vlan idx>
 bridging-mode local
 encryption-type ccmp
 authentication-type eap
 no answer-broadcast-probes
 client-load-balancing
 use aaa-policy extEAP
 use ip-access-list out BROADCAST-MULTICAST-CONTROL
 use mac-access-list out PERMIT-ARP-AND-IPv4
!

thats it.