Re: WPA2/Enterprise startup/rollout headaches...

[Jeff Kell <jeff-kell () UTC EDU>]

Many thanks for all of the responses, and a little follow-up is in order
after finally getting this to work :)

We were making our attempt using CentOS 5.6 / samba3x package (3.5.4) /
latest Radiator package / Active Directory (Win2K8).

Everything worked up to EAPOL, then things fell apart.  Googling
suggested a Samba issue on CentOS.  So we tried Ubuntu, with no
success.  Downloaded source for 3.5.9 from samba.org, but it was
shared-library dependent, and we had difficulties getting it linked
properly and/or launched/invoked from Radiator.  Many other annoyances.

Yanked out CentOS 5.6 samba3x packages, and reinstalled older "samba"
packages (3.0.33) instead.  kinit works, ntlm_auth works, winbindd
happy, net ads join works, Radiator works, laptop associates and pulls
an IP via WPA2, success!

Initial testing let us do WPA2/Enterprise with Win7, MacOS, and an
iPhone without any special troubles.  Which makes me wonder now, is
there enough fuss left over to look at some "setup" tool like
XpressConnect?  I haven't tried an XP or Vista wireless yet, but it
appears the "current" majority of devices connect just fine.

Jeff

On 7/13/2011 9:50 AM, Jeff Kell wrote:
> One of our summer projects is to bring WPA2/Enterprise to our wireless
> network, which is currently either plaintext or using pre-shared keys,
> simply terminating on the controller.
>
> We have assembled the pieces of the puzzle we know about:
>
>   * Aruba controllers configured for AAA via Radius,
>   * Bradford Campus Manager is proxying the Radius requests (was doing
>     mac-authentication before),
>   * Radiator has been setup for "AuthBy NTLM" against our Active
>     Directory domain controllers.
>
> With these bits done, we can successfully authenticate at the Radiator
> command line (ntlm_auth works).
> We can successfully authenticate from the Bradford Radius test page.
> We can successfully authenticate from the Aruba AAA test page.
>
> However, we cannot seem to get any clients to successfully
> authenticate to wireless.  Win7 seems to get the farthest
> (out-of-the-box, no supplicants or certificates), prompting once for
> credentials when it tries PEAP, and failing that (perhaps due to the
> unknown certificate?), it prompts again in a pop-up window for
> "EAP-TTLS credentials" asking for domain\userID and password.  We then
> see Radiator trying the request/challenge several times before
> eventually rejecting, and there is no connection.
>
> Is there another whole piece of the puzzle we are missing to carry
> over to the clients?  I know at times in the past that various
> supplicants, shims, or some "connectivity add-ons" (e.g.,
> XpressConnect) were required to complete the picture, but I thought
> most of this could be done "out of the box" by now?
>
> It seems that we are so close but missing this final leap out to the
> client.  I had expected issues with bizarre devices (iThings, game
> consoles, etc), but not a wholesale failure of everything...
>
> Any suggestions, pointers, recipes, how-tos, "WPA2 for Dummies",
> magical incantations, war stories, drinking games, wishes, holy
> grails, etc., would be most welcome :)
>
> Thanks in advance,
>
> Jeff