Ignition Server PEAP Active Directory

Ignition Server
Engineering
> Ignition Server PEAP Active Directory
Authentication Technical
Configuration Guide
Avaya Data Solutions
Document Date: June 2011
Document Number: NN48500-626
Document Version: 1.1
avaya.com
© 2011 Avaya Inc.
All Rights Reserved.
Notices
While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of
printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in
this document without the obligation to notify any person or organization of such changes.
Documentation disclaimer
Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation
unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya,
Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with,
subsequent modifications, additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s)
provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and
does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that
these links will work all the time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In
addition, Avaya’s standard warranty language, as well as information regarding support for this product, while under warranty, is
available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support
Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/
ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM
AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL
AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN
WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN
AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE
LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY
INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF
YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE
(HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND
CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA
AFFILIATE ("AVAYA").
Copyright
Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All
content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the
content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui
generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or
distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission,
dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under
the applicable law.
Third Party Components
Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements
("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party
Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source
code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available
on the Avaya Support Web site: http://support.avaya.com/Copyright.
Trademarks
The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya
are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks
without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the
documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and
to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya
Inc. All non-Avaya trademarks are the property of their respective owners.
Downloading documents
For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support
Contact Avaya Support
Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support
telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site:
http:// www.avaya.com/support.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
2
avaya.com
Abstract
This Technical Configuration Guide outlines the configuration steps required on an Avaya Ignition Server
to authenticate PEAP computers and users via Microsoft Active Directory. The main components include
the Avaya Wireless LAN 8100 Controller and Access Points, Avaya Ethernet Routing Switches, Avaya
Ignition Server and an Active Directory user store running on a Microsoft Windows Server 2003 server.
The audience for this Technical Configuration Guide is intended to be Avaya Sales teams, Partner Sales
teams and end-user customers.
Revision Control
No
Date
Version
Revised By
Remarks
1
June 2011
1.0
KLM
Initial Draft
2
June 2011
1.1
KLM
Minor Corrections
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
3
avaya.com
Table of Contents
Figures .......................................................................................................................................................... 5
Tables............................................................................................................................................................ 6
Conventions .................................................................................................................................................. 7
1.
2.
3.
4.
5.
Overview ............................................................................................................................................... 8
1.1
Extensible Authentication Protocol (EAP) ..................................................................................... 9
1.2
Digital Certificates ......................................................................................................................... 9
Configuration Example ........................................................................................................................ 11
2.1
Components ................................................................................................................................ 11
2.2
Hardware & Software .................................................................................................................. 12
2.3
Ignition Server ............................................................................................................................. 14
2.4
Avaya Wireless LAN 8100 .......................................................................................................... 64
2.5
Avaya Ethernet Routing Switch................................................................................................... 72
2.6
Microsoft Windows 7 ................................................................................................................... 77
Verification .......................................................................................................................................... 88
3.1
Avaya Ethernet Routing Switch................................................................................................... 88
3.2
Avaya Wireless LAN 8100 .......................................................................................................... 95
Troubleshooting ................................................................................................................................ 101
4.1
Authentication............................................................................................................................ 101
4.2
CA Root Certificates .................................................................................................................. 105
4.3
Active Directory Cache .............................................................................................................. 107
Reference Documentation ................................................................................................................ 109
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
4
avaya.com
Figures
Figure 1.0 – Avaya Ignition Server Active Directory Integration ................................................................... 8
Figure 1.2 – Digital Certificates ..................................................................................................................... 9
Figure 2.2 – Topology ................................................................................................................................. 12
Figure 2.3.2 – Active Directory .................................................................................................................... 26
Figure 2.3.3.1 – Directory Sets ................................................................................................................... 33
Figure 2.3.4.1 – Virtual Groups ................................................................................................................... 36
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
5
avaya.com
Tables
Table 2.2 – Hardware and Software ........................................................................................................... 13
Table 2.3.5.1 – Dynamic VLANs ................................................................................................................. 40
Table 2.3.7.1 – Authorization Policies ......................................................................................................... 49
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
6
avaya.com
Conventions
This section describes the text, image, and command conventions used in this document.
Symbols



Tip – Highlights a configuration or technical tip.
Note – Highlights important information to the reader.
Warning – Highlights important information about an action that may result in equipment
damage, configuration or data loss.
Text
Bold text indicates emphasis.
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or
command:
ERS5520-48T# show running-config
Output examples from Avaya devices are displayed in a Lucida Console font:
ERS5520-48T# show sys-info
Operation Mode:
Switch
MAC Address:
00-12-83-93-B0-00
PoE Module FW:
6370.4
Reset Count:
83
Last Reset Type:
Management Factory Reset
Power Status:
Primary Power
Autotopology:
Enabled
Pluggable Port 45:
None
Pluggable Port 46:
None
Pluggable Port 47:
None
Pluggable Port 48:
None
Base Unit Selection:
Non-base unit using rear-panel switch
sysDescr:
Ethernet Routing Switch 5520-48T-PWR
HW:02
FW:6.0.0.10
Mfg Date:12042004
June 2011
SW:v6.2.0.009
HW Dev:H/W rev.02
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
7
avaya.com
1. Overview
The Avaya Identity Engines Ignition Server is an 802.1X capable RADIUS authentication, authorization
and accounting (AAA) server that permits or denies users access to a network based on policies. Avaya
Identity Engines Ignition Server allows enterprises to create a single set of policies that control access for
all the ways users connect to the enterprise network such as via Ethernet, Wireless LAN or VPN. Access
policies are stored on the Ignition Server while user accounts and groups are maintained on an existing
user directory such as Microsoft’s Active Directory.
The solution outlined in this guide provides enterprises with an Active Directory user directory with an
easy to deploy authentication solution for Ethernet and Wireless LANs that provides:

Secure authenticated Wired and Wireless LAN access for corporate Windows hosts providing
both computer and user authentication with dynamic VLAN assignments and a transparent logon
experience.

Secure authenticated LAN access for corporate Windows hosts providing both computer and user
authentication with dynamic VLAN assignments and a transparent logon experience.
Figure 1.0 – Avaya Ignition Server Active Directory Integration
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
8
avaya.com
1.1 Extensible Authentication Protocol (EAP)
The Avaya Ignition Server supports a number of Extensible Authentication Protocols (EAP) methods
which includes EAP-GTC, EAP-TLS, EAP-TTLS and PEAP. EAP-TLS is based on Public Key
Infrastructure (PKI) and leverages digital certificates issued to both the Ignition Server and users while
EAP-GTC, EAP-TTLS and PEAP support credentials which can be validated against a backend user
directory store such as Active Directory.
EAP-GTC, EAP-TTLS and PEAP each operate in a similar manner where the Ignition Server establishes
a secure Transport Layer Security (TLS) session with the 802.1X client before the user’s credentials are
exchanged through the TLS tunnel. The main advantage of these EAP methods over EAP-TLS is that a
signed certificate is only required on the Ignition Server. The 802.1X clients do not require a user
certificate which greatly simplifies implementation, deployment and management of the authentication
system. A root certificate authority (CA) certificate is optional on the 802.1X client but is recommended to
provide trust and validate the Ignition Server.
1.1.1.1 PEAP
PEAP supports the MSCHAPv2 authentication method and is natively supported by Windows and thirdparty operating systems. Unlike other EAP methods, PEAP provides native support for computer
authentication on Windows workstations which allows a Windows workstation to maintain an active
network connection to the wired or wireless network when no user is logged in to the workstation.
Computer authentication is useful as it allows specific Microsoft domain features to function such as
group policy updates, system updates and logon scripts.
As PEAP implements the MSCHAPv2 authentication protocol, native authentication against LDAP is not
possible as LDAP only provides support for PAP and CHAP authentication protocols. To authenticate
PEAP users against LDAP, the RADIUS server must either be tightly integrated into Active Directory or
the MSCHAPv2 authentication must be performed out-of-band using NT LAN Manager (NTLM). The
Avaya Ignition Server supports both NTLMv1 and NTLMv2 protocols. However the LDAP protocol is still
used to bind users to groups and obtain attributes.
1.2 Digital Certificates
Protected Extensible Authentication Protocol (PEAP) and Ignition Server administration utilize digital
certificates to provide mutual authentication and encryption. Mutual authentication or trust is provided by
leveraging Public Key Infrastructure (PKI) which allows all parties in the security exchange to verify and
validate digital certificates on each party. Authentication and encryption is provided using standard public
key and private key algorithms to protect credentials exchanged over the air as well as exchange
credentials.
Figure 1.2 – Digital Certificates
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
9
avaya.com
1.2.1
Server Certificates
One or more server certificates reside on the Ignition Server and are digital identifications containing
information about a server, service or organization. Server certificates contain a public key which is used
to create a secure Transport Layer Security (TLS) connection between the Ignition Server and the 802.1X
client when PEAP is deployed for authentication. In addition TLS is utilized to secure the management
and configuration information exchanged between the Ignition Server and Ignition Dashboard application.
The Ignition Server supports multiple server certificates and may assign a unique server certificate to
each Access Policy. This allows a single Ignition Server to support multiple enterprise organizations if
required.
1.2.2
Root CA Certificates
A root certificate is a self-signed certificate or an unsigned public key certificate which forms the
foundation of a public key infrastructure (PKI). A root certificate is the top-most certificate in the Certificate
Authority (CA) tree, and its private key is used sign all certificates issued from the CA.
Root CA certificates are installed on end user devices to identify and verify digital certificates issued from
the CA. Root certificates for common public CAs such as Entrust and VeriSign are typically pre-installed
on most operating systems allowing the end user devices to automatically trust servers and applications
using digital certificates issued from these CAs. However in enterprise environments, a private CA such
as Microsoft Certificate Services is often deployed and CA certificates are either automatically or
manually distributed to domain member devices.
It’s not mandatory that a CA root certificate be installed on the end user device for authentication as
802.1X clients can establish a secure connection to the Ignition Server without a CA root certificate being
present. However for 802.11 Wireless LAN deployments it is a best practice recommendation to install a
CA root certificate on the wireless clients so that the wireless clients can validate the identity of the
RADIUS authentication server before any credentials are exchanged.

Tip – For Microsoft Active Directory environments, Certificate Services deployed as an
Enterprise Root CA will automatically install the CA root certificate on domain member devices.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
10
avaya.com
2. Configuration Example
2.1 Components
The Avaya Ignition Server PEAP Active Directory authentication solution outlined in this guide consists of
the following software and hardware components:
1. Configuration and Management:

Ignition Dashboard Application – A Windows based application used to configure and
manage the Ignition Server that provides authentication, authorization and accounting as well
as an interface into Active Directory.
2. Access Control:

Ignition Server – Authenticates and authorizes PEAP computers and users who wish to
connect to the network and captures accounting information.

Active Directory User Directory – The centralized user directory which is queried by the
Ignition Server to authenticate and authorize end-users who wish to gain access to the
wireless network.
3. Authenticators:

Avaya Ethernet Routing Switch 4500 – Provides wired connectivity to corporate users which
are authenticated using RADIUS against the Ignition Server.

Avaya Wireless LAN 8100 – Provides wireless connectivity and mobility to corporate users
which are authenticated using RADIUS against the Ignition Server.
4. Client:

June 2011
Apple MacBook Pro (Bootcamp with Windows 7 Enterprise) – End user device that connects
and authenticates to the Avaya Ethernet Routing Switch 4500 or Wireless LAN.
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
11
avaya.com
2.2 Hardware & Software
The following diagram depicts the hardware and software components and the topology used to create
this guide:
Figure 2.2 – Topology
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
12
avaya.com
The following table highlights the hardware and software outlined above used to create this guide:
Hardware and Software Components
Dell PowerEdge D610 Server – VMWare ESXi Version 4.1.0:
1.
Avaya Ignition Server – Version 07.00.00.020468
2.
Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2:
o
Active Directory Services
o
Certificate Services
o
DNS Services
Avaya Ethernet Routing Switch 5520-48T-PWR – Version 6.2.0.009
Avaya Ethernet Routing Switch 4550T – Version 5.4.1
Avaya Ethernet Routing Switch 4524GT – Version 5.4.1
Avaya WLAN 8100 Series – Version 1.0.1.007

1 x WLAN Controller 8180

3 x WLAN Access Point 8120
IBM Thinkpad T500 – Windows 7 Enterprise:

Intel® WiFi Link 5100 AGN 802.11a/b/g PCI Express Wireless Adaptor

Microsoft Windows Client with Intel Extensions
Table 2.2 – Hardware and Software
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
13
avaya.com
2.3 Ignition Server
The following section outlines the configuration steps required to configure the Avaya Ignition Server to
authenticate PEAP users and computers against Active Directory then assign a VLAN based on Active
Directory group membership:

Note – This guide assumes all certificates are issued from a common public or Enterprise
certification authority. For this guide Microsoft Certificate Services configured as an Enterprise
Root CA will be utilized.
2.3.1
Digital Certificates
As PEAP is used for computer and user authentication, a signed server certificate must be installed on
the Ignition Server. The following section highlights the necessary steps required to request a certificate,
sign the certificate then install the signed certificate on the Ignition Server.
2.3.1.1 Certificate Signing Request (CSR)
Before a signed certificate can be issued and installed on the Ignition Server a public key and certificate
signing request (CSR) must be generated. The CSR provides the certificate authority with the necessary
information required to generate a signed certificate which will downloaded and installed on the Ignition
Server. The signed certificate will be used for PEAP authentication but may also be used for Ignition
Server Administration:
1
Within Ignition Dashboard select Site-Name > Certificates > Certificate Requests. Click New:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
14
avaya.com
2
In the Name field enter the hostname and domain name of the Ignition Server. Select the Key
Length value 2048 then set the Algorithm to RSA. Click Next:
3
In the Common Name (CN) field enter the hostname and domain name of the Ignition Server.
Enter appropriate Company, Regional and Contact information then select Next:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
15
avaya.com
4
A certificate signing request will be generated. Click Save To File (recommended) or Copy to
Clipboard then click Finish:


Note – Check with you network administrator to determine the appropriate key length before
generating the CSR. Most CAs require a 2048 bit key.
Note – The value provided in the CN field will be presented to the 802.1X client during
authentication and may be used by the 802.1X client to validate the identity of the RADIUS
authentication server.
2.3.1.2 Certificate Signing
A certificate signing request (CSR) can be signed by a private certificate authority (CA) that is operated
and maintained by the enterprise organization or an external public CA which charges a fee for each
server certificate issued. In most enterprise organizations a private CA will be deployed which allows
certificates to be generated and maintained for internal devices and users. Examples of private CAs
include Microsoft Certificate Services, Novell Certificate Authority and OpenSSL
The following provides an example of how to sign a CSR using Microsoft Certificate Services deployed as
an Enterprise Root CA using Web Enrollment:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
16
avaya.com
1
Using a web browser connect to Windows Server Web Enrollment web site, enter your
credentials then select the task Request a Certificate:
2
Select the option advanced certificate request:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
17
avaya.com
3
Select the option Submit a certificate request by using a base-64-encoded CMC or PKCS#10
file, or submit a renewal request by using a base-64-encoded PKCS#7 file:
4
In the Saved Request form field, paste the base-64 encoded text generated by the certificate
signing request (CSR) on the Ignition Server. In the Certificate Template field select the Web
Server template (or an alternative pre-defined user defined template) then click Submit:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
18
avaya.com
5
Select the encoding option Base 64 encoded then click Download certificate. Click Save then
specify a filename and path for the certificate followed by a second Save:
6
In the top right of the window select Home to take you to the main page. Select the encoding
option Base 64 encoded then click Download CA certificate. Click Save then specify a
filename and path for the certificate followed by a second Save:

Note – To be installed on the Ignition Server, the signed certificate and corresponding CA root
certificate must be issued in a base-64 encoded format.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
19
avaya.com
2.3.1.3 Install CA Root Certificate
A CA root certificate allows a device to validate certificates issued from the certificate authority. While a
CA certificate is not required on the Ignition Server to support PEAP, it is required if you plan on
deploying EAP-TLS which uses certificates issued to computers and users. As a best practice it is
recommended to install the CA certificate on a device when the server certificate is installed.
To install a CA root certificate on the Ignition Server:
1
Within Ignition Dashboard select Site-Name > Certificates > Protocol Root Certificates. Click
Import Root Certificate:
2
Select the path and filename for the base-64 encoded CA root certificate issued by your
certificate authority then click Open:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
20
avaya.com
3
The CA root certificate for the CA that issued the server certificate will now be installed:

Note – To be installed on the Ignition Server, the CA root certificate must be issued in a base-64
encoded format.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
21
avaya.com
2.3.1.4 Install Signed Server Certificate
Once the server certificate has been signed by the certificate authority (CA), it can be installed on the
Ignition Server and used for PEAP authentication and Ignition Server administration.
To install a signed certificate on the Ignition Server issued from a private or public CA:
1
Within Ignition Dashboard select Site-Name > Certificates > Certificates. Click Import
Certificate:
2
Select the path and filename for the base-64 encoded signed server certificate issued by your
certificate authority then click Open:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
22
avaya.com
3
Your signed server certificate will now be installed:

Note – To be installed on the Ignition Server, the signed server certificate must be issued in a
base-64 encoded format.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
23
avaya.com
2.3.1.5 Set Admin Certificate (Optional)
The Ignition Dashboard application uses TLS to provide a secure channel between the Ignition Server
and Ignition Dashboard application. By default the Ignition Server uses a self-signed certificate which
cannot be validated by the Ignition Dashboard application. In addition to being used for PEAP
authentication, the signed server certificate can also be used for Ignition Server administration.
To configure the Ignition Server to use the signed certificate for the Admin Certificate:
1
Within Ignition Dashboard select Site-Name > Certificates > Certificates. Click Modify:
2
Using the Admin Certificate pull-down menu select the signed certificate installed in the
previous step then click OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
24
avaya.com
3
Click Yes to confirm:
4
Within Ignition Dashboard select Administration > Root Certificates:
5
Select the path and filename for the base-64 encoded CA root certificate issued by your
certificate authority and enter an Alias name. Click Add:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
25
avaya.com
6
The CA root certificate for the CA that issued the server certificate will now be installed:

Note – Once you change the Admin Certificate, you must install the corresponding CA root
certificate in the Ignition Dashboard application. Failure to install the correct CA root certificate
will result in a connection failure.
2.3.2
Directory Services
Rather than maintain a separate user database on the Ignition Server for each PEAP user, the Ignition
Server can query an existing external user directory such as Active Directory. Directory Services defines
the necessary configuration parameters that allow the Ignition Server to communicate with an external
user directory store such as the Active Directory Server IP address, directory path information and bind
parameters.
The Ignition Server can communicate with Active Directory using Lightweight Directory Access Protocol
(LDAP) as well as the NT LAN Manager (NTLM) protocol. LDAP is used to validate user’s credentials
using PAP and CHAP authentication protocols while NTLM is used to validate user’s credentials using
MSCHAPv2:
Figure 2.3.2 – Active Directory
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
26
avaya.com
2.3.2.1 Configuration Step
For this configuration step a Microsoft Windows Server 2003 Domain Controller will be added to the
Directory Services on the Ignition Server with the following parameters defined:
1) The Name will be set to Active Directory to match the directory type.
2) The Service Account Name will be set to ide which is a bind user account for the Ignition Server
created in Active Directory.
3) The Service Account Password will be set to avayalabs that matches password defined for the
ide user account predefined in Active Directory.
4) The NetBIOS Domain will be set to AVAYALABS which matches the NetBIOS domain name for
the Active Directory Domain.
5) The AD Domain Name will be set to avayalabs.local which matches the Active Directory
Domain name.
6) The Directory Root DN will be set to the default value DC=avayalabs,DC=local.
7) The User Root DN will be set to the default value DC=avayalabs,DC=local.
8) The Primary Server IP Address will be set to 192.168.10.50 which is the host IP address
assigned to Microsoft Windows Server 2003 Domain Controller.
9) The Port will be set to the default value 389.
10) The NETBIOS Server Name will be set to W3KSERVER-DC1 which matches the NetBIOS name
assigned to the Microsoft Windows Server 2003 Domain Controller.
1
Within Ignition Dashboard select Configuration > Directories > Directory Services. Click New:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
27
avaya.com
2
In the Choose Service Type window select Active Directory then click Next:
3
In the Service Configuration Options window select Automatically Configure then click Next:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
28
avaya.com
4
In the Connect To Active Directory window enter the AD Domain Name, Service Account Name
and Password. Click Next:


Note – To communicate with Active Directory DNS must be enabled and configured on the
Ignition Server. DNS can be configured by clicking Appliance-Name > System > DNS.

Note – While the bind user account has been made a member of the Domain Admins group,
the bind user account can be a member of the Domain Users group as long as it has the
necessary privileges required to Create Computer Objects in the domain
(http://technet.microsoft.com/en-us/library/cc754478.aspx).
Note – In this example an Active Directory account called ide with the password avayalabs has
been pre-defined in Active Directory and is a member of the Domain Admins group. Account
options have also been set to lock the account password so that it cannot change.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
29
avaya.com
5
In the Connect to Active Directory window select the Security Protocols type Simple then
enter the IP address of the Active Directory Domain Controller. Click Next:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
30
avaya.com
6
In the Configure Active Directory Window set the Name to Active Directory. Click the icon next
to the NETBIOS Server Name field to resolve the NETBIOS server name. Verify the Active
Directory configuration by selecting Test Configuration:
7
If the Active Directory configuration is correct and the test successful, the following dialog
message will be displayed. Click OK then Next:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
31
avaya.com
8
A summary of the Active Directory configuration will be displayed. Click Finish:
9
A Directory Service called Active Directory has now been added to the Ignition Server:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
32
avaya.com
2.3.3
Directory Sets
Directory sets are an ordered list of user lookup services used by the Ignition Server when it processes
authentication requests. The directory set determines where the user account information is located (i.e.
local, Active Directory, LDAP etc.), which service is used to retrieve the user’s account information, and
which service is used to retrieve authorization data such as attributes and group membership.
2.3.3.1 Configuration Step
For this configuration step a directory set named Active Directory will be created that will authenticate
and authorize PEAP users and computers against the Active Directory user store:
Figure 2.3.3.1 – Directory Sets
1
Within Ignition Dashboard select Configuration > Directories > Directory Sets. Click New:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
33
avaya.com
2
Set the Name to Active Directory then click Add:
3
Set the User Lookup Service and Authentication Service to the Directory Service named
Active Directory then click OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
34
avaya.com
4
Use the default values then click OK:
5
A Directory Set called Active Directory has now been added to the Ignition Server:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
35
avaya.com
2.3.4
Virtual Groups
Virtual groups provide a mechanism that allows the Ignition Server to map external groups stored in the
Active Directory tree to virtual groups within the Ignition Server. The virtual groups can be used by the
Access Policy to determine if the user is authorized to access the system as well as assign return
attributes to the authenticator such as VLAN assignments.
2.3.4.1 Configuration Step
For this configuration step Virtual Groups called Sales, Marketing, Engineering and Domain
Computers will be created that map to their corresponding Active Directory groups. Based on the
computer and users Active Directory group membership, the Access Policy will apply authorization
restrictions as well as assign VLAN membership.
Figure 2.3.4.1 – Virtual Groups


Note – The Active Directory Groups must be present in the Active Directory tree prior to
mapping the Virtual Groups.
Note – If an Active Directory group is not visible on the Ignition Server, you can force a cache
refresh by selecting Monitor > Ignition-Server-Name > Directory Services Status > Refresh
Cache.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
36
avaya.com
1
Within Ignition Dashboard select Configuration > Virtual Mapping > Virtual Groups. Click
Actions > Add a New Virtual Group:
2
Add a virtual group for each Active Directory group which PEAP computers and users are
assigned in Active Directory. In this example users are assigned to Active Directory Groups
called Sales, Marketing and Engineering while the computers are assigned to the Active
Directory group named Domain Computers:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
37
avaya.com
3
Highlight the Virtual Group called Sales then select a Add:
4
Set the Directory Service named Active Directory then in the Active Directory tree locate the
Active Directory group to map the Virtual Group too. Click OK. In this example the Virtual
Group called Sales is mapped to its corresponding Active Directory Group
CN=Sales,CN=Users,DC=avayalabs,DC=local:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
38
avaya.com
5
Select the Marketing Virtual Group then click Add. Select the Directory Service named Active
Directory then in the Active Directory tree locate the Active Directory group name to map the
Virtual Group too. Click OK. In this example the Virtual Group called Marketing is mapped to
its corresponding Active Directory Group CN=Marketing,CN=Users,DC=avayalabs,DC=local:
6
Select the Engineering Virtual Group then click Add. Select the Directory Service named
Active Directory then in the Active Directory tree locate the Active Directory group name to
map the Virtual Group too. Click OK. In this example the Virtual Group called Engineering is
mapped to its corresponding Active Directory Group
CN=Engineering,CN=Users,DC=avayalabs,DC=local:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
39
avaya.com
7
Select the Domain Computers Virtual Group then click Add. Select the Directory Service
named Active Directory then in the Active Directory tree locate the Active Directory group
name to map the Virtual Group too. Click OK. In this example the Virtual Group called
Engineering is mapped to its corresponding Active Directory Group CN=Domain
Computers,CN=Users,DC=avayalabs,DC=local:
2.3.5
Virtual LANs
PEAP users connected to an Avaya Ethernet Switch or Wireless Access Point can be assigned to a
dynamic VLAN based on Active Directory group membership. VLAN information is forwarded to the
Authenticator with the RADIUS Access-Accept and can include the VLAN ID or VLAN name. Avaya
Ethernet Routing Switches support VLAN information using an ID while the Wireless LAN 8180 Wireless
Controllers support VLAN names. The Ignition Server determines the format of the VLAN information
based on the vendor device template assigned to the Authenticator.
2.3.5.1 Configuration Steps
For this configuration step three VLANs will be defined for Sales, Marketing and Engineering users and
Domain Computers:
Group
VLAN ID
VLAN Name
Domain Computers
10
Computers
Sales
11
Sales
Marketing
12
Marketing
Engineering
13
Engineering
Table 2.3.5.1 – Dynamic VLANs
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
40
avaya.com
1
Within Ignition Dashboard select Configuration > Provisioning > Outbound Values. Click
New:
2
In the Outbound Value Name field enter Sales then click New:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
41
avaya.com
3
Select the Global Outbound Attribute type VLAN. In the VLAN Label field enter Sales then in
the VLAN ID field enter 11. Click OK then OK:
4
Click New. In the Outbound Value Name field enter Marketing then click New:
5
Select the Global Outbound Attribute type VLAN. In the VLAN Label field enter Marketing then
in the VLAN ID field enter 12. Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
42
avaya.com
6
Click New. In the Outbound Value Name field enter Engineering then click New:
7
Select the Global Outbound Attribute type VLAN. In the VLAN Label field enter Engineering
then in the VLAN ID field enter 13. Click OK then OK:
8
Click New. In the Outbound Value Name field enter Computers then click New:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
43
avaya.com
9
Select the Global Outbound Attribute type VLAN. In the VLAN Label field enter Computers
then in the VLAN ID field enter 13. Click OK then OK:
10
Outbound VLAN definitions for Sales, Marketing, Engineering and Computers have now been
defined:


Note – For dynamic VLAN assignment to be successful, the VLANs must be present on the
Avaya Ethernet Routing Switches and Wireless LAN 8180 Controllers.
Note – Only Windows Vista and Windows 7 support different VLAN IDs for Computers and
Users. Windows XP requires both Computers and Users to be assigned to the same VLAN.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
44
avaya.com
2.3.6
Access Policies
Access Policies contain a set of Authorization Rules that govern user authentication, defines supported
EAP types and the search order for user lookups. Access Policies control if a user will be permitted
access to the network as well as how the authentication transaction is to be performed.
2.3.6.1 Configuration Steps
For this configuration step an Access Policy named EAP Users will be created with the following
parameters defined:
1) PEAP authentication support will be enabled using EAP-MSCHAPv2.
2) The signed server certificate named ide.avayalabs.local will be used for TLS.
3) The Directory Set name Active Directory will be used for user authentication.
1
Within Ignition Dashboard select Configuration > Access Policies > RADIUS. Click New:
2
Enter the name EAP Users then click OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
45
avaya.com
3
Highlight the Access Policy then click Edit:
4
Enable the PEAP type EAP-MSCHAPv2. Select the signed server Certificate installed earlier
then click Next:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
46
avaya.com
5
Enable the option Enable Default Directory Set then select the Directory Set named Active
Directory. Click Next:
6
Verify the parameters then click Finish:

Note – Additional EAP methods such as EAP-GTC or EAP-TTLS can be enabled as required
but cannot be used for computer authentication.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
47
avaya.com
2.3.7
Authorization Policies
Access Policies contain one or more Authorization Policies that contain a set of rules that govern which
computers and users are granted access to the network, restrictions that determine when computers and
users can access a network as well as return attributes such as VLAN membership. The Ignition Server
can also evaluate user attributes, device attributes, and the context of the access request in order to
decide whether to authorize a user.
2.3.7.1 Configuration Steps
For this configuration step an Authorization Policy for Sales, Marketing and Engineering users and
Domain Computers will be added to the Access Policy named EAP Users. The authorization attributes
defined in this example will assign VLAN membership as well as time of day and day of week restrictions
based on Active Directory group membership:
Rule Name: Sales
Action
Allow
Outbound Value (VLAN Membership)
Sales
User Group Member (Exact Match)
Sales
Weekday (Between)
Monday and Friday
Time (Between)
8:00AM and 8:00PM
Rule Name: Marketing
Action
Allow
Outbound Value (VLAN Membership)
Marketing
User Group Member (Exact Match)
Marketing
Weekday (Between)
Monday and Friday
Time (Between)
8:00AM and 8:00PM
Rule Name: Engineering
Action
Allow
Outbound Value (VLAN Membership)
Engineering
User Group Member (Exact Match)
Engineering
Weekday (Between)
Monday and Friday
Time (Between)
8:00AM and 8:00PM
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
48
avaya.com
Rule Name: Domain Computers
Action
Allow
Outbound Value (VLAN Membership)
Domain Computers
User Group Member (Exact Match)
Domain Computers
Table 2.3.7.1 – Authorization Policies
1
Within Ignition Dashboard select Configuration > Access Policies > RADIUS > EAP Users.
Under RADIUS Authorization Policy click Edit:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
49
avaya.com
2
Click Add:
3
Enter the name Sales then click OK:
4
Set the Action to Allow then under Provision (Outbound Values) locate the VLAN named
Sales then add it to the Provision With List. Click New to add a rule:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
50
avaya.com
5
Select the Attribute Category type User then the Attribute named group-member. Select the
condition type Exactly Matches. Click Add and select the Virtual Group named Sales. Click
OK then OK:
6
Click New to create a second rule. Select the Attribute Category type and the Attribute named
Weekday. Select the condition type Week Day is Between. Click Add and set the values
Monday and Friday. Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
51
avaya.com
7
Click New to create a second rule. Select the Attribute Category type and the Attribute named
Time. Select the condition type Between. Click Add and set the values 08:00 and 20:00. Click
OK then OK:
8
Authorization rules for the Sales users have now been created. Click Add:
9
Enter the name Marketing then click OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
52
avaya.com
10
Set the Action to Allow then under Provision (Outbound Values) locate the VLAN named
Marketing then add it to the Provision With List. Click New to add a rule:
11
Select the Attribute Category type User then the Attribute named group-member. Select the
condition type Exactly Matches. Click Add and select the Virtual Group named Marketing.
Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
53
avaya.com
12
Click New to create a second rule. Select the Attribute Category type and the Attribute named
Weekday. Select the condition type Week Day is Between. Click Add and set the values
Monday and Friday. Click OK then OK:
13
Click New to create a second rule. Select the Attribute Category type and the Attribute named
Time. Select the condition type Between. Click Add and set the values 08:00 and 20:00. Click
OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
54
avaya.com
14
Authorization rules for the Marketing users have now been created. Click Add:
15
Enter the name Engineering then click OK:
16
Set the Action to Allow then under Provision (Outbound Values) locate the VLAN named
Engineering then add it to the Provision With List. Click New to add a rule:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
55
avaya.com
17
Select the Attribute Category type User then the Attribute named group-member. Select the
condition type Exactly Matches. Click Add and select the Virtual Group named Marketing.
Click OK then OK:
18
Click New to create a second rule. Select the Attribute Category type and the Attribute named
Weekday. Select the condition type Week Day is Between. Click Add and set the values
Monday and Friday. Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
56
avaya.com
19
Click New to create a second rule. Select the Attribute Category type and the Attribute named
Time. Select the condition type Between. Click Add and set the values 08:00 and 20:00. Click
OK then OK:
20
Rules for Engineering users have now been created. Click Add:
21
Enter the name Domain Computers then click OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
57
avaya.com
22
Set the Action to Allow then under Provision (Outbound Values) locate the VLAN named
Computers then add it to the Provision With List. Click New to add a rule:
23
Select the Attribute Category type User then the Attribute named group-member. Select the
condition type Exactly Matches. Click Add and select the Virtual Group named Domain
Computers. Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
58
avaya.com
24
Rules for the Domain Computers have now been created. Click OK:
25
Authorization rules for Sales, Marketing and Engineering users and Domain Computers are
now added to the Access Policy:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
59
avaya.com
2.3.8
Authenticators
Avaya Ethernet Routing Switches and Wireless LAN 8180 Wireless Controllers that forward RADIUS
authentication requests to the Ignition Server are called Authenticators. Each Avaya Ethernet Routing
Switch or Wireless LAN 8180 Wireless Controller that uses the Ignition Server to authenticate PEAP
users and computers must be defined as an authenticator. One entry can be created for each
Authenticator or alternatively for larger deployments a bundle can be created which allows one
Authenticator entry to service multiple Authenticators.
Each Authenticator entry includes a friendly name, IP address, RADIUS shared secret, authenticator
type, Access Policy association and vendor information which defines the check and return attributes and
VLAN format the device supports.
2.3.8.1 Configuration Steps
For this configuration an Authenticator entry will be defined for a stack of Ethernet Routing Switch 4500s
and a Wireless LAN 8180 Controller:
1
Within Ignition Dashboard select Configuration > Authenticators > default. Click New:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
60
avaya.com
2
Enter the required parameters for the Wireless LAN 8180 Controller (example below) then click
OK:
Name
Set to the hostname of the Wireless LAN 8180 Controller.
IP Address
Set to the Wireless System Interface IP Address on the Wireless LAN 8180 Controller.
Authenticator Type
Set to Wireless.
Vendor
Set to Nortel.
Device Template
Set to generic-nortel which forwards the VLAN information as a Name.
RADIUS Shared Secret
Set to avayalabs which matches the shared secret defined on the Wireless LAN 8180
Controller.
Access Policy
Set to EAP Users.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
61
avaya.com
3
Click New to define an additional Authenticator. Enter the required parameters for the
Ethernet Routing Switch 4500 (example below) then click OK:
Name
Set to the hostname of the Ethernet Routing Switch 4500 or Stack.
IP Address
Set to the management IP Address assigned to the Ethernet Routing Switch 4500 or
Stack.
Authenticator Type
Set to Wired.
Vendor
Set to Nortel.
Device Template
Set to ers-switches-nortel which forwards the VLAN information as an ID.
RADIUS Shared Secret
Set to avayalabs which matches the shared secret defined on the Ethernet Routing
Switch 4500 or Stack.
Access Policy
Set to EAP Users.

Note – When adding a stack of switches as an Authenticator, you must define the stack IP
address and not the switch IP address.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
62
avaya.com
4
The Wireless LAN 8180 Wireless Controller and Avaya Ethernet Routing Switch 4500 have
now been added as Authenticators to the Ignition Server:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
63
avaya.com
2.4 Avaya Wireless LAN 8100
The following section outlines the configuration steps required to configure the Avaya WC8180 wireless
controller to provide secure 802.1X authenticated access to wireless PEAP users and computers with
dynamic VLAN assignments using the Ignition Server for RADIUS services:
2.4.1
Base Configuration
The Avaya 8100 series Wireless Controller requires basic network configuration before it can provide
wireless services to users. The Wireless Controller will be configured with the necessary management
and user VLANs as well as the virtual IP addresses required for management and Access Point
communications. In addition wireless services need to be configured and enabled so that the Avaya 8100
series Wireless Controller can manage Avaya 8100 series Access Points and serve Wireless LANs.
2.4.1.1 Configuration Steps
For this configuration step a factory defaulted WC8180 Wireless Controller will be configured with the
following basic parameters:
1. Management VLAN ID 10, Sales VLAN ID 11, Marketing VLAN ID 12 and Engineering VLAN
ID 13 will be created:
a. VLAN 10 will be assigned the IP address 192.168.10.30/24 and will be assigned to uplink
port 26.
b. IP routing will be enabled.
2. A static default route will be defined pointing to the 192.168.10.1 IP address assigned to the
private internal interface on the firewall.
3. A valid license file will be uploaded.
4. Wireless services will be enabled:
a. The Interface-ip address will be set to the management IP address 192.168.10.30.
b. The WC8180 will be configured as MDC capable with the password AvayaLabs12!@
assigned.
c.
The WC8180 will join the wireless domain named AVAYALABS.
d. The wireless domain will be configured with the country code US.
e. The wireless domain will be configured to automatically promote-discovered-aps.
f.
1
Mobility VLANs named Sales, Marketing, Engineering and Computers will be created
and mapped to their respective VLAN IDs.
Using the AACLI access the global configuration context:
WC8180# configure terminal
WC8180(config)#
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
64
avaya.com
2
Create VLANs 10-13 and assign port membership:
WC8180(config)# vlan create 10 name Mgmt type port
WC8180(config)# vlan create 11 name Sales type port
WC8180(config)# vlan create 12 name Marketing type port
WC8180(config)# vlan create 13 name Engineering type port
WC8180(config)# vlan members remove 1 1-26
WC8180(config)# vlan members add 10-13 26
WC8180(config)# vlan mgmt 10
WC8180(config)# show vlan
Id
Name
Type
Protocol
User PID Active IVL/SVL Mgmt
--- -------------------- -------- ---------------- -------- ------ ------- ---1
VLAN #1
Port
None
0x0000
Yes
IVL
No
Port
None
0x0000
Yes
IVL
Yes
Port
None
0x0000
Yes
IVL
No
Port
None
0x0000
Yes
IVL
No
Port
None
0x0000
Yes
IVL
No
Port Members: NONE
10
Mgmt
Port Members: 26
11
Sales
Port Members: 26
12
Marketing
Port Members: 26
13
Engineering
Port Members: 26
Total VLANs: 5
3
Assign virtual IP addresses to VLAN 10 and mark VLAN 10 for management:
WC8180(config)# interface vlan 10
WC8180(config-if)# ip address 192.168.10.30 255.255.255.0
WC8180(config-if)# exit
WC8180(config)# show vlan ip
==============================================================================
Vid
ifIndex Address
Mask
MacAddress
Offset Routing
==============================================================================
Primary Interfaces
-----------------------------------------------------------------------------10
10010
192.168.10.30
255.255.255.0
00:1B:4F:CA:19:80 1
Enabled
-----------------------------------------------------------------------------% Total of Primary Interfaces: 1
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
65
avaya.com
4
Globally enable IP Routing:
WC8180(config)# ip routing
WC8180(config)# show ip routing
IP Routing is enabled
IP ARP life time is 21600 seconds
5
Define a static Default Route that points to the core router on VLAN 10:
WC8180(config)# ip route 0.0.0.0 0.0.0.0 192.168.10.1 1
WC8180(config)# show ip route
===============================================================================
Ip Route
===============================================================================
DST
MASK
NEXT
COST
VLAN PORT PROT TYPE PRF
------------------------------------------------------------------------------0.0.0.0
0.0.0.0
192.168.10.1
1
14
12
S
IB
5
192.168.10.0
255.255.255.0
192.168.10.30
1
10
----
C
DB
0
Total Routes: 2
-------------------------------------------------------------------------------
6
If necessary upload a license file. Once installed the WC8180 will need to be reset:
WC8180(config)# copy tftp license address 192.168.10.6 filename license.dat
License successfully downloaded.
NOTE:
system must be rebooted to activate license.
WC8180(config)# boot
7
Using the AACLI access the wireless configuration context. Set the interface-ip to the virtual
IP Address assigned to VLAN 10 and enable wireless services:
WC8180> enable
WC8180# configure terminal
WC8180(config)# wireless
WC8180(config-wireless)# interface-ip 192.168.10.30
WC8180(config-wireless)# enable
WC8180(config-wireless)# show wireless
Status
: Enabled
Interface IP
: 192.168.10.30
TCP/UDP base port : 61000
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
66
avaya.com
8
Configure the WC8180 as MDC-Capable and define a password:
WC8180(config-wireless)# controller mdc-capable
% Domain password should be between 10-15 characters long.
% Password must contain a minimum of 2 upper, 2 lowercase letters
% 2 numbers and 2 special characters like !@#$%^&*()
Enter domain password: AvayaLabs12!@
Verify Domain password: AvayaLabs12!@
9
Create and join the Wireless Domain using the password defined in the previous step:
WC8180(config)# end
WC8180# wireless controller join-domain domain-name AVAYALABS mdc-address
192.168.10.30
Enter Domain Secret: AvayaLabs12!@
WC8180# show wireless controller domain-membership
Domain Name
: AVAYALABS
Domain Role
: Active MDC
Domain Action Status
: Join Success
Action Failure Reason
: None
10
Access the wireless configuration context. Create a Mobility VLAN for the Sales, Marketing
and Engineering users and Computers:
WC8180# configure terminal
WC8180(config)# wireless
WC8180(config-wireless# domain mobility-vlan Computers
WC8180(config-wireless# domain mobility-vlan Sales
WC8180(config-wireless# domain mobility-vlan Marketing
WC8180(config-wireless# domain mobility-vlan Engineering
WC8180(config-wireless# show wireless domain mobility-vlan
--------------------------------------------------Mobility VLAN Name
Status
--------------------------------
-----------------
default-MVLAN
Active
Computers
Active
Sales
Active
Marketing
Active
Engineering
Active
---------------------------------------------------
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
67
avaya.com
11
Map the Mobility VLANs to the Local VLANs:
WC8180(config-wireless# switch vlan-map Computers lvid 10
WC8180(config-wireless# switch vlan-map Sales lvid 11
WC8180(config-wireless# switch vlan-map Marketing lvid 12
WC8180(config-wireless# switch vlan-map Engineering lvid 13
WC8180(config-wireless# show wireless switch vlan-map
-----------------------------------------------------------------Mobility VLAN Name
LVID
Role
------------------
----- -----
Computers
10
Weight
None
Track
------- ----1
NONE
Sales
11
None
1
NONE
Marketing
12
None
1
NONE
Engineering
13
None
1
NONE
default-MVLAN
0
None
1
NONE
------------------------------------------------------------------
12
Define a country-code and enable then option to Automatically Promote Discovered APs.
Finally synchronize the configuration:
WC8180(config-wireless# domain
WC8180(config-wireless# country-code us
WC8180(config-wireless# domain auto-promote-discovered-ap
WC8180(config-wireless# end
WC8180# wireless controller config-sync
WC8180# show wireless domain info
Country
: US
AP QoS Mode
: Disabled
Roaming Timeout
: 30 seconds
TSPEC Violation Report Interval
: 300 seconds
Auto Promote Discovered AP
: Enabled
AP Image Update Download Group Size : 5 %
AP Image Update Reset Group Size
: 5 %
AP Reset Group Size
: 5 %
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
68
avaya.com
2.4.2
RADIUS Profiles
The Avaya 8100 series Wireless Controller can authenticate PEAP users against one or more RADIUS
servers assigned to a RADIUS profile. The RADIUS profiles are then assigned to one or more network
profiles that require 802.1X, MAC or captive-portal authentication. The Avaya 8100 series Wireless
Controller will then direct all RADIUS authentication requests to the available servers defined in the
RADIUS profile.
2.4.2.1 Configuration Steps
For this configuration step a RADIUS authentication profile named IDE will be created with the Ignition
Server added as a RADIUS server. The following RADIUS parameters will be defined:
1) The IP Address set to 192.168.10.52 which matches the IP Address assigned to the Admin
Port on the Ignition Server.
2) The RADIUS Shared Secret set to avayalabs which matches the RADIUS shared secret defined
on the Ignition Server in section 2.3.8.
1
Using the AACLI access the Wireless Security configuration context:
WC8180(config-wireless)# security
2
Create a RADIUS Profile with the id 1 named IDE and set the type to Auth:
WC8180(config-security)# radius profile IDE type auth
WC8180(config-security)# show wireless security radius profile
Total radius profiles: 1, auth: 1, acct: 0
Radius Profile
Type
-------------------------------- -------------IDE
3
Authentication
Create a RADIUS Server entry with the IP Address assigned to the Ignition Server and assign
it to the RADIUS Profile named IDE. When asked enter and confirm the secret avayalabs:
WC8180(config-security)# radius server 192.168.10.52 IDE secret
Enter server secret: avayalabs
Verify server secret: avayalabs
WC8180(config-security)# show wireless security radius server
Total radius servers: 1
Server IP
Radius Profile
Port# Priority
--------------- -------------------------------- ----- -------192.168.10.52
June 2011
IDE
1812
1
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
69
avaya.com
2.4.3
Network Profiles
Network Profiles define the wireless service parameters that radios advertise to wireless users. Each
network profile defines the SSID name advertised to users, the mobility VLAN users are assigned, the
authentication type and encryption ciphers. In addition the network profile defines the QoS mode and
parameters for the wireless service.
2.4.3.1 Configuration Steps
For this configuration step Network Profile 2 will be created with the following parameters will be defined:
1) The Profile Name set to AVAYA-IDE which for consistency matches the SSID name.
2) The SSID set to AVAYA-IDE which is advertised to wireless clients.
3) User Validation set to RADIUS and the RADIUS profile named IDE assigned.
4) WPA2 security with CCMP encryption will be enabled.
1
Using the AACLI access the Wireless Network Profile 2 configuration context:
WC8180(config-security)# network-profile 2
2
Set the Profile Name and SSID Name to AVAYA-DOT1X and define the Mobility VLAN name:
WC8180(config-network-profile)# profile-name AVAYA-DOT1X
WC8180(config-network-profile)# ssid AVAYA-DOT1X
3
Set the User Validation mode to RADIUS and assign the RADIUS Profile named IDE:
WC8180(config-network-profile)# user-validation radius
WC8180(config-network-profile)# radius authentication-profile IDE
4
Enable 802.11i security with CCMP encryption:
WC8180(config-network-profile)# security-mode wpa-enterprise
WC8180(config-network-profile)# wpa2 versions-supported WPA2 cipher-suite CCMP
WC8180(config-network-profile)# show wireless network-profile 2 detail
Network Profile ID: 2
Name : AVAYA-DOT1X
SSID : AVAYALAB-DOT1X
Hide SSID : No
Mobility Vlan Name :
No Response to Probe Request : Disabled
User Validation : RADIUS
Local User Group : Default
RADIUS Authentication Profile Name : IDE
RADIUS Accounting Profile Name :
RADIUS Accounting Mode : Disabled
Security Mode : WPA-Enterprise
MAC Validation : Disabled
WPA Versions : WPA2
WPA Encryption : CCMP
WPA2 Pre-Authentication : Enabled
WPA2 Pre-Authentication Limit : 0
WPA2 Key Caching Holdtime (minutes) : 10
Session Key Refresh Period (seconds) : 0
Group Key Refresh Period (seconds) : 0
Wireless ARP Suppression : Disabled
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
70
avaya.com
2.4.4
AP Profiles
Administrator’s provision managed Access Points using AP profiles. AP profiles allow a common set of
configuration parameters to be defined and applied to large groups of APs. Each AP profile is AP model
specific and assigns radio profiles, network profiles and QoS mappings to Access Points assigned to the
AP profile.
Each Access Point radio supports up to 16 Virtual Access Points (VAPs) each of with are assigned a
unique MAC address and look like a single Access Point. Each radio can support a maximum of 16
network profile assignments.
2.4.4.1 Configuration Steps
For this configuration step Network Profile 2 will be assigned to radios using the default AP Profile 1:
1) Network Profile 2 will be assigned to VAP 1 on Radio 1 (5GHz).
2) Network Profile 2 assigned to VAP 1 on Radio 2 (2.4GHz).
1
Using the AACLI access the Wireless AP Profile 1 configuration context:
WC8180(config-wireless)# ap-profile 1
2
Assign Network Profile 2 to VAP 1 on Radios 1 & 2:
WC8180(config-ap-profile)# network 1 1 profile-id 2
WC8180(config-ap-profile)# network 2 1 profile-id 2
WC8180(config-ap-profile)# show wireless ap-profile network 1
-------------------------------------------------------------------AP Profile Id
Radio Id
VAP Id
Network Profile Id
-------------
--------
------
------------------
Radio Operation
---------------
1
1
1
2
On
1
2
1
2
On
--------------------------------------------------------------------
3
Connect the Avaya 8100 series Access Points to the network and verify they are managed:
WC8180(config-wireless)# show wireless ap status
-----------------------------------------------------------------------------AP MAC
AP IP
Controller IP
Status
Need Image
-----------------
---------------
---------------
-------------
----------
5C:E2:86:0F:A3:C0
192.168.10.110
192.168.10.30
Managed
No
5C:E2:86:0F:C6:20
192.168.10.111
192.168.10.30
Managed
No
5C:E2:86:10:4A:C0
192.168.10.112
192.168.10.30
Managed
No
Upgrade
------------------------------------------------------------------------------
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
71
avaya.com
2.5 Avaya Ethernet Routing Switch
The following section outlines the configuration steps required to configure an Avaya Ethernet Routing
Switch to provide secure PEAP authenticated access with dynamic VLAN assignments to wired hosts
using the Ignition Server for RADIUS services.

Note – This configuration example only provides the basic configuration parameters only.
Please reference the Small, Medium, Large and Super Large Campus Technical Solution
Guides available athttp://support.avaya.com/css/Products/P0846/All_Documents for Avaya’s
Ethernet Routing Switch best practices and implementation recommendations.
2.5.1
Base Configuration
The stack of Avaya Ethernet Routing Switches requires basic network configuration before it can provide
wired services to users. The stack of Avaya Ethernet Routing Switches will be configured with the
necessary management and users VLANs as well as a stack IP address which will be used for
management access and RADIUS communications.
2.5.1.1 Configuration Steps
For this configuration step a factory defaulted stack of Avaya Ethernet Routing Switch 4500s will be
configured with the following basic parameters:
1. Management VLAN ID 10, Sales VLAN ID 11, Marketing VLAN ID 12 and Engineering VLAN
ID 13 will be created:
a. VLAN 10 will be defined as the management VLAN.
b. The IP address 192.168.10.19/24 and will be assigned to the stack.
c.
1
A default gateway 192.168.10.1 will be assigned to the stack.
Using the AACLI access the global configuration context:
ERS4500# configure terminal
2
Create the Management, Sales, Marketing and Engineering VLANs 10 – 13:
ERS4500(config)# vlan create 10 name Mgmt type port
ERS4500(config)# vlan create 11 name Sales type port
ERS4500(config)# vlan create 12 name Marketing type port
ERS4500(config)# vlan create 13 name Engineering type port
3
Assign VLAN 10 as the Management VLAN:
ERS4500(config)# vlan mgmt 10
3
Remove all ports from the default VLAN 1:
ERS4500(config)# vlan members remove 1 all
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
72
avaya.com
4
Enable 802.1Q tagging on uplink port 1/48:
ERS4500(config)# vlan ports 1/48 tagging tagall
ERS4500(config)# vlan ports 1/48 filter-untagged-frame enable
5
Add VLANs 10 – 13 to the uplink port 1/48 then set the PVID to 10:
ERS4500(config)# vlan members add 10-13 1/50
ERS4500(config)# vlan ports 1/50 pvid 10
ERS4500(config)# show vlans
6
Verify VLAN configuration:
ERS4500(config)# show vlans
Id
Name
Type
Protocol
User PID Active IVL/SVL Mgmt
--- -------------------- -------- ---------------- -------- ------ ------- ---1
VLAN #1
Port
None
0x0000
Yes
IVL
No
None
0x0000
Yes
IVL
Yes
None
0x0000
Yes
IVL
No
None
0x0000
Yes
IVL
No
None
0x0000
Yes
IVL
No
Port Members: NONE
10
Mgmt
Port
11
Sales
Port Members: 1/48
Port
Port Members: 1/48
12
Marketing
Port
Port Members: 1/48
13
Engineering
Port
Port Members: 1/48
Total VLANs: 5
ERS4500(config)# show vlan interface vids 1/48
Filter
Filter
Untagged Unregistered
Unit/Port
Frames
Frames
PVID PRI
Tagging
Name
--------- -------- ------------ ---- --- ------------- -------------1/48
Yes
Yes
10
0
TagAll
Unit 1,Port 48
ERS4500(config)# show vlan interface info 1/48
Unit/Port VLAN VLAN Name
VLAN VLAN Name
VLAN VLAN Name
--------- ---- ----------------
---- ----------------
---- ----------------
1/48
11
12
10
Mgmt
13
Engineering
--------- ---- ----------------
June 2011
Sales
---- ----------------
Marketing
---- ----------------
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
73
avaya.com
7
Assign a stack IP address, mask and default gateway:
ERS4500(config)# ip address stack 192.168.10.19
ERS4500(config)# ip address netmask 255.255.255.0
ERS4500(config)# ip default-gateway 192.168.10.1
ERS4500(config)# show ip
Bootp/DHCP Mode: BootP When Needed
Configured
In Use
Last BootP/DHCP
--------------- --------------- -------------------Stack IP Address:
192.168.10.19
Switch IP Address:
0.0.0.0
Stack Subnet Mask:
255.255.255.0
255.255.255.0
0.0.0.0
Default Gateway:
192.168.10.1
192.168.10.1
0.0.0.0
2.5.2
192.168.10.19
0.0.0.0
0.0.0.0
RADIUS
Avaya Ethernet Routing Switches support RADIUS authentication servers which can be used to provide
secure authenticated management access in addition to port based access control. The stack of Avaya
Ethernet Routing Switches require a primary RADIUS server to be defined before wired EAPOL
authentication can be enabled on the access layer ports. The Avaya Ethernet Routing Switches will be
configured with the necessary RADIUS parameters that will allow the stack of Avaya Ethernet Routing
Switches to communicate and forward EAPOL authentication requests to the Ignition Server.
2.5.2.1 Configuration Steps
For this configuration step the Ignition Server will be defined as a RADIUS server on the stack of Avaya
Ethernet Routing Switch 4500s:
1. The Ignition Server’s Admin IP address 192.168.10.52 will be added as the Primary RADIUS
Server.
2. The RADIUS shared secret avayalabs will be defined which matches the RADIUS shared secret
defined on the Ignition Server in section 2.3.8.
1
Configure the Ignition Server’s Admin IP address 192.168.10.52 as the primary RADIUS server
IP and specify the RADIUS shared secret avayalabs:
ERS4500(config)# radius-server host 192.168.10.52
ERS4500(config)# radius-server key
Enter key: avayalabs
Confirm key: avayalabs
2
Verify the RADIUS server configuration:
ERS4500(config)# show radius-server
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
74
avaya.com
Password Fallback:
Disabled
Primary Host: 192.168.10.52
Secondary Host: 0.0.0.0
Port:
1812
Time-out:
Key:
2
***************
Radius Accounting is
Disabled
AcctPort:
1813
2.5.3
EAPOL
Avaya Ethernet Routing Switches support the Extensible Authentication Protocol over LAN (EAPOL)
encapsulation standard to provide port based access control. This concept uses the Extensible
Authentication Protocol (EAP) as described in the IEEE 802.1X standard. EAPOL filters traffic based on
source MAC address. Unauthorized hosts are unable to receive traffic from authorized devices or the
network until the host successfully authenticate. Authentication hosts can be assigned to the native VLAN
assigned to the access port or alternatively can be assigned to a dynamic VLAN provided by the RADIUS
server.
By default Avaya Ethernet Routing Switches support a single EAPOL host per port; however Avaya
includes support for a number of EAPOL enhancements which allows a port to assign Guest VLANs,
support multiple EAPOL hosts, support a mix of EAPOL and non EAPOL hosts and support non EAPOL
enabled hosts such as Printers or Access Points.
2.5.3.1 Configuration Steps
For this configuration step the access layer ports 1/1-47 and 2/1-24 on the stack of Avaya Ethernet
Routing Switch 4500s will be enabled for EAPOL authentication with re-authentication support. For this
example the default Single Host Single Authentication (SHSA) implementation will be used:
1. EAPOL on access layer ports 1/1-47 and 2/1-24 will be configured as Auto.
2. EAPOL re-authentication will be enabled on access layer ports 1/1-47 and 2/1-24 using the
default timer 3600 seconds.
3. EAPOL will remain disabled on the uplink port 1/48 which will be set to the default value Forced
Authorized.
1
Enable EAPOL on access ports 1/1-47,2/1-24 and enabled re-authentication:
ERS4500(config)# interface fastEthernet all
ERS4500(config-if)# eapol port 1/1-47,2/1-24 status auto
ERS4500(config-if)# eapol port 1/1-47,2/1-24 re-authentication enable
2
Configure the uplink port 1/47 as Forced Authorized:
ERS4500(config-if)# eapol port 1/48 status authorized
ERS4500(config-if)# exit
ERS4500(config)# show eapol
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
75
avaya.com
Admin Status:
Auth:
Auto
Admin Status:
No
Auth:
Admin Dir:
Oper Dir:
Both
ReAuth Period:
Quiet Period:
Xmit Period:
Oper Dir:
3600
ReAuth Period:
Quiet Period:
Xmit Period:
30
No
3600
60
30
Supplic Timeout:
30
Server Timeout:
Max Req:
2
Max Req:
2
RDS DSE:
No
RDS DSE:
No
Access Ports 1/1-48,2/1-24
3
Both
ReAuth Enable:
30
Server Timeout:
Both
Yes
60
Supplic Timeout:
Yes
Admin Dir:
Both
ReAuth Enable:
F Auth
30
30
Uplink Port 1/48
Globally enable EAPOL:
ERS4500(config)# eapol enable
ERS4500(config)# show eapol
EAPOL Administrative State:
Enabled
Port-mirroring on EAP ports: Disabled

Note – Details for enabling multihost EAPOL options can be located in the product
documentation as well as various technical configuration guides available for download at
http://support.avaya.com/css/Products/P0846/All_Documents.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
76
avaya.com
2.6 Microsoft Windows 7
2.6.1
Root CA Certificate Installation
For this configuration step a base-64 encoded CA root certificate will be installed in Windows 7 so that
Windows 7 can validate the signed server certificate issued to the Ignition Server during 802.1X
authentication:
1
Using Explorer double click the CA root certificate to install. This will open the Certificate:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
77
avaya.com
2
Verify the CA root certificate you are installing is correct then click Install Certificate:
3
Click Next:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
78
avaya.com
4
Select the option Place all certificates in the following store then click Browse. Select Trusted
Root Certificate Authorities then click OK. Click Next:
5
Click Finish to add the CA root certificate to the users Trusted Root Certificate Authorities
certificate store:

Note – If the server certificate installed on the Ignition Server was issued from Microsoft
Certificate Services configured as an Enterprise Root CA and the Windows 7 workstation was
added to the domain after Certificate Services was installed, the CA root certificate will be been
automatically installed when the Windows 7 workstation was added to the domain.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
79
avaya.com
2.6.2
Wired Authentication Configuration Steps
For this configuration step 802.1X authentication will be enabled on the Local Area Connection in
Windows 7 which will authenticate the Computer and Users using PEAP while providing a single sign-on
experience:

1
Note – The Windows 7 service Wired AutoConfig must be started before 802.1X can be
enabled on a Wired interface.
In Windows 7 select Control Panel > Network and Sharing Center > Change Adaptor Settings.
Right click on Local Area Connection then select Properties:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
80
avaya.com
2
Enable the option Enable IEEE 802.1X authentication then select the network authentication
method type Microsoft: Protected EAP (PEAP). Click Settings:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
81
avaya.com
3
Enable the option Validate Server Certificate. Optionally enable Connect to these servers then
enter the hostname of the Ignition Server as defined in the CN field of the signed server
certificate installed on the Ignition Server. Click Configure and enable the option
Automatically use my Windows logon name and password. Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
82
avaya.com
2.6.3
Wireless Authentication Configuration Steps
For this configuration step a Wireless Network will be added to Windows 7 that will authenticate the
Computer and Users on a WPA2 enabled Wireless LAN using PEAP while providing a single sign-on
experience:

Note – The Windows 7 service WLAN AutoConfig must be started before 802.1X can be
enabled on a Wireless interface.
1
In Windows 7 select Control Panel > Network and Sharing Center > Manage Wireless Networks
then click Add:
2
Select Manually create a network profile:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
83
avaya.com
3
In the Network name field type the SSID name to connect to then set the Security type to
WPA2-Enterprise. Set the Encryption type to AES then enable the option Start this connection
automatically. Click Next:
4
Select Change connection settings:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
84
avaya.com
5
Select the network authentication method type Microsoft: Protected EAP (PEAP) then click
Settings:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
85
avaya.com
6
Enable the option Validate Server Certificate. Optionally enable Connect to these servers then
enter the hostname of the Ignition Server as defined in the CN field of the signed server
certificate installed on the Ignition Server. Click Configure and enable the option
Automatically use my Windows logon name and password. Click OK then OK:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
86
avaya.com
7
A Wireless network profile has now been created in Windows 7:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
87
avaya.com
3. Verification
3.1 Avaya Ethernet Routing Switch
3.1.1
Computer Authentication
By default Windows 7 will perform Computer authentication when the Windows 7 workstation initially
boots or the user exits Windows. For computer authentication to succeed, the computer must be
connected to the Avaya Ethernet Routing switch and must be a member of the domain.
The following section highlights the steps required to validate PEAP computer Authentication on a
Windows 7 Enterprise workstation connected to an Avaya Ethernet Routing Switch:
1
Connect the Windows 7 workstation to an Ethernet port on the Avaya Ethernet Routing
Switch. Boot the Windows 7 workstation or logout of Windows 7. This will initiate EAPOL
computer authentication:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
88
avaya.com
2
On the Avaya Ethernet Routing Switch view the EAPOL port status. The Auth status will
display as Yes indicating the Computer has authenticated. In this example the Windows 7
workstation is connected to port 1/1:
ERS4500# show eapol port 1/1
EAPOL Administrative State:
Enabled
Port-mirroring on EAP ports: Disabled
Unit/Port:
1/1
Admin Status:
Auth:
Auto
Yes
Admin Dir:
Oper Dir:
Both
Both
ReAuth Enable:
Yes
ReAuth Period:
3600
Quiet Period:
Xmit Period:
60
30
Supplic Timeout:
Server Timeout:
3
Max Req:
2
RDS DSE:
No
30
30
On the Avaya Ethernet Routing Switch view the dynamic VLAN assignment for the port. In this
example all Domain Computers are assigned to the computer VLAN ID 10:
ERS4500# show vlan interface vids 1/1
Unit/Port VLAN VLAN Name
VLAN VLAN Name
VLAN VLAN Name
--------- ---- ----------------
---- ----------------
---- ----------------
---- ----------------
---- ----------------
1/1
10
Mgmt
--------- ---- ----------------
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
89
avaya.com
4
Using the Ignition Dashboard view the Access Logs by selecting Monitor > Site-Name >
Ignition-Server-Name > Log Viewer > Access. A record showing a successful authentication
and authorization for the computer will be listed:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
90
avaya.com
5
Double-click on the computer authentication log entry to view the authentication and
authorization details. Each Access Record contains various details which includes the
Authentication Result, Access Policy selected, Authenticator used, Username, Virtual Group
and if successful any return attributes forwarded to the Authenticator:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
91
avaya.com
3.1.2
User Authentication
By default Windows 7 performs user authentication after the Windows 7 user logon process and will use
the user’s domain credentials for authentication. For user authentication to succeed the computer must
be connected to the Avaya Ethernet Routing switch and the user’s domain credentials must be used.
The following section highlights the steps required to validate PEAP user Authentication on a Windows 7
Enterprise workstation connected to an Avaya Ethernet Routing Switch:
1
Login to Windows 7 using a domain username and password which will initiate EAPOL user
authentication. In this example a domain user that is a member of the Sales group is used:
Local Area Connection during
Computer > User transition
Local Area Connection after User
Authenticartion
2
On the Avaya Ethernet Routing Switch view the EAPOL port status. The Auth status will
display as Yes indicating the sales user has authenticated. In this example the Windows 7
workstation is connected to port 1/1:
ERS4500# show eapol port 1/1
EAPOL Administrative State:
Enabled
Port-mirroring on EAP ports: Disabled
Unit/Port:
1/1
Admin Status:
Auth:
Auto
Yes
Admin Dir:
Oper Dir:
Both
Both
ReAuth Enable:
Yes
ReAuth Period:
3600
Quiet Period:
Xmit Period:
60
30
Supplic Timeout:
Server Timeout:
June 2011
30
30
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
92
avaya.com
3
On the Avaya Ethernet Routing Switch view the dynamic VLAN assignment. In this example
the Sales users are assigned to the user VLAN ID 11:
ERS4500# show vlan interface vids 1/1
Unit/Port VLAN VLAN Name
VLAN VLAN Name
VLAN VLAN Name
--------- ---- ----------------
---- ----------------
---- ----------------
---- ----------------
---- ----------------
1/1
11
Sales
--------- ---- ----------------
4
Using the Ignition Dashboard view the Access Logs by selecting Monitor > Site-Name >
Ignition-Server-Name > Log Viewer > Access. A record showing a successful authentication
and authorization for the sales user will be listed:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
93
avaya.com
5
Double-click on the computer authentication log entry to view the authentication and
authorization details. Each Access Record contains various details which includes the
Authentication Result, Access Policy selected, Authenticator used, Username, Virtual Group
and if successful any return attributes forwarded to the Authenticator:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
94
avaya.com
3.2 Avaya Wireless LAN 8100
3.2.1
Computer Authentication
By default Windows 7 will perform Computer authentication when the Windows 7 workstation initially
boots or the user exits Windows. For computer authentication to succeed the Wireless LAN must be
active and in range and the computer must be a member of the domain.
The following section highlights the steps required to validate PEAP computer Authentication on a
Windows 7 Enterprise workstation connected to an Avaya Wireless LAN 8180 Access Point:
1
Boot the Windows 7 workstation or logout of Windows 7. This will initiate wireless computer
authentication:
2
On the Avaya Wireless Controller WC8180 view the associated clients. In this example the
Windows 7 workstation is Authenticated and assigned to the Computers mobility VLAN:
WC8180# show wireless client status
Total number of clients: 1
------------------------------------------------------------------------------Client
Client
Associated
Mobility
MAC Address
IP Address
Controller
VLAN
Status
----------------- --------------- --------------- --------------- ------------E0:F8:47:0F:E0:14 192.168.10.100
192.168.10.30
Computers
Authenticated
-------------------------------------------------------------------------------
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
95
avaya.com
3
Using the Ignition Dashboard view the Access Logs by selecting Monitor > Site-Name >
Ignition-Server-Name > Log Viewer > Access. A record showing a successful authentication
and authorization for the computer will be listed:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
96
avaya.com
4
Double-click on the computer authentication log entry to view the authentication and
authorization details. Each Access Record contains various details which includes the
Authentication Result, Access Policy selected, Authenticator used, Username, Virtual Group
and if successful any return attributes forwarded to the Authenticator:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
97
avaya.com
3.2.2
User Authentication
By default Windows 7 performs user authentication after the user logon process and the user enters
Windows 7. For computer authentication to succeed the Wireless LAN must be active and in range and
the user’s domain credentials must be used.
The following section highlights the steps required to validate PEAP user Authentication on a Windows 7
Enterprise workstation connected to an Avaya Wireless LAN 8180 Access Point:
1
Login to Windows 7 using a domain username and password which will initiate wireless user
authentication. In this example a domain user that is a member of the Sales group is used:
2
On the Avaya Wireless Controller WC8180 view the associated clients. In this example the
Windows 7 workstation is Authenticated and assigned to the Sales mobility VLAN:
WC8180# show wireless client status
Total number of clients: 1
------------------------------------------------------------------------------Client
Client
Associated
Mobility
MAC Address
IP Address
Controller
VLAN
Status
----------------- --------------- --------------- --------------- ------------E0:F8:47:0F:E0:14 192.168.11.101
192.168.10.30
Sales
Authenticated
-------------------------------------------------------------------------------
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
98
avaya.com
3
Using the Ignition Dashboard view the Access Logs by selecting Monitor > Site-Name >
Ignition-Server-Name > Log Viewer > Access. A record showing a successful authentication
and authorization for the sales user will be listed:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
99
avaya.com
4
Double-click on the computer authentication log entry to view the authentication and
authorization details. Each Access Record contains various details which includes the
Authentication Result, Access Policy selected, Authenticator used, Username, Virtual Group
and if successful any return attributes forwarded to the Authenticator:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
100
avaya.com
4. Troubleshooting
The following section highlights some common issues and resolutions when deploying Active Directory
computer and user authentication:
4.1 Authentication
4.1.1
Authenticator Trust
Problem Description:
One of the most common causes of failed authentication attempts is a mismatched RADIUS shared secret,
authenticator IP address mismatch or no authenticator entry. When an authentication request is received by the
Ignition Server, the Ignition Server will verify that the authenticator is trusted and the RADIUS shared secret matches.
If an Authenticator entry cannot be located for the source IP address that the RADIUS authentication request was
received from or the RADIUS shared secret is mismatched, the Ignition Server will drop the authentication request.
Using the Ignition Dashboard by select Monitor > Site-Name > Ignition-Server-Name > Log Viewer > Security. A
Packet dropped as Message-Authenticator Attribute validation failed log entry will be displayed:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
101
avaya.com
Resolution:
1.
Using the Ignition Dashboard select Configuration > Site-Name > Site-Configuration > Authenticators >
default. Verify the Ignition Server has an Authenticator entry for the Avaya Wireless LAN Controller 8180 or
Avaya Ethernet Routing Switch(es).
2.
If an Authenticator entry is present, verify the IP Address for the Authenticator record is correct:
3.
a.
The Avaya Wireless LAN Controller 8180 uses the Interface-IP address to originate RADIUS
authentication and accounting requests.
b.
An individual Avaya Ethernet Routing Switch uses the Switch Management IP address to originate
RADIUS authentication and accounting requests.
c.
A stack of Avaya Ethernet Routing Switches uses the Stack Management IP address to originate
RADIUS authentication and accounting requests.
If the Authenticator entry is present and the IP Address is correct, reset the RADIUS shared secret on the
Wireless LAN Controller 8180 or Ethernet Routing Switch(es) to match the RADIUS Shared Secret defined
in the Authenticator record.
TIP – You can view the RADIUS Shared Secret within the Authenticator Details window by selecting Show
next to the defined RADIUS Shared Secret:
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
102
avaya.com
4.1.2
NTLM Authentication
Problem Description:
PEAP uses MSCHAPv2 as an inner authentication protocol which is not natively supported by LDAP. To overcome
this limitation the Ignition Server employs NTLM authentication and creates a computer object in the Computers
container in the Active Directory tree. If the computer object is not present, MSCHAPv2 authentication will not be
possible and authentication will fail.
Resolution:
If MSCHAPv2 authentication is failing:
1.
Check the Computers container in Active Directory and look for the Ignition Server computer object. The
Name will either be the MAC address of the Ignition Server or the resolvable hostname.
2.
If the computer object is missing, assign the Ignition Server bind user account with the necessary
permissions required to allow it to Create Computer Objects in the domain
(http://technet.microsoft.com/en-us/library/cc754478.aspx). Alternatively assign the account to the Domain
Admins group.
3.
Initiate an MSCHAPv2 authentication request. If the Ignition Server bind user account has the necessary
permissions it will create a computer object I the Computers container.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
103
avaya.com
4.1.3
EAPOL Quiet Period
Each Ethernet port on an Avaya Ethernet Routing Switch supports various EAPOL timers. Most EAPOL
deployments can utilize the default timer values; however there may be some instances where certain
timers need to be modified to address authentication performance issues.
Problem Description:
When an EAPOL authentication attempt fails, the Avaya Ethernet Routing Switch will wait for the Quiet Period before
a new authentication attempt is accepted. While the Ethernet host may attempt to re-authenticate, the Avaya
Ethernet Routing Switch will not accept the new authentication until the Quiet Period expires which can impact the
Windows workstations ability to access the network. For example a user on a Windows host that fails computer
authentication will have to wait 60 seconds before user authentication can occur and access to the network is
permitted.
Parameter
Default Value
Description
Quiet Period
60 (s)
Time interval between an authentication failure and the
start of a new authentication attempt.
Resolution:
1.
If users are experiencing long authentication times due to initial authentication failures, consider reducing
the Quiet Period to10 seconds (or lower) to minimize the impact on the user and provide a transparent
logon experience.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
104
avaya.com
4.1.4
EAPOL Re-Authentication
Problem Description:
When re-authentication is enabled on an EAPOL port, the Avaya Ethernet Routing Switch will initiate reauthentication when the re-authentication period expires. Re-authentication is a useful feature as it provides a
mechanism to disconnect users when their Active Directory accounts are disabled or if time and date authorization
attributes are applied to users. Without re-authentication, users with expired or disabled credentials will remain
connected to the network and time and date authorization restrictions will never be applied to users.
Parameter
Default Value
Description
Re-Authentication Period
3600 (s)
Time interval between successive re-authentications.
Resolution:
1.
If users are remaining authenticated after their Active Directory accounts are disabled or time and date
permissions expire, enabled re-authentication on the EAPOL ports.
2.
When implementing time and date authorization policies are being deployed, consider reducing the ReAuthentication Period to 15 minutes. This will ensure users are disconnected within reason while
balancing the increase in authentication requests.
4.2 CA Root Certificates
Problem Description:
By default during PEAP authentication a Windows workstations will attempt to validate the signed server certificate
installed on the RADIUS authentication server using the corresponding CA root certificate installed in the users or
computers Trusted Root Certificate Authorities store. If no CA root certificate is found, the TLS session will not be
trusted and PEAP authentication will fail.
Resolution:
1.
Temporarily uncheck the Protected EAP Properties option Validate server certificate. If the user’s
credentials are valid this will allow the user to authenticate and connect to the network.
2.
Install the appropriate CA root certificate following the procedure outlined in Section 2.6.1. If the machine is
a member of the domain you may also use the MMC certificate snap-in to renew the certificate.
3.
Once the CA root certificate has been installed, re-enable the Protected EAP Properties option Validate
server certificate.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
105
avaya.com
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
106
avaya.com
4.3 Active Directory Cache
Problem Description:
The Ignition Server maintains a cache for each Directory Services groups and attributes. When a new group is added
to Active Directory it might take some time for the Active Directory cache to be updated on the Ignition Server which
may result in new groups not being visible when attempting to map a Virtual Group to an Active Directory group.
?
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
107
avaya.com
Resolution:
If an Active Directory group is not visible on the Ignition Server, you can force an Active Directory cache using the
Ignition Dashboard by selecting Monitor > Ignition-Server-Name > Directory Services Status > Refresh Cache.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
108
avaya.com
5. Reference Documentation
Publication Number
Document Title
NN47280-500
Avaya Identity Engines Ignition Server Configuration Guide
NN47205-505
Avaya Ethernet Routing Switch 4500 Series Configuration – Security
NN47251-500
Avaya WLAN 8100 Configuration – WC8180 (CLI)
© 2011 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks
identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are
the property of their respective owners. Avaya may also have trademark rights in other terms used herein. References to Avaya
include the Nortel Enterprise business, which was acquired as of December 18, 2009.
June 2011
Ignition Server PEAP Active Directory Authentication
Avaya Inc. – External Distribution
109
Download PDF
Similar pages