Reply
Contributor II
arubamonkey
Posts: 56
Registered: ‎12-17-2011
Accepted Solution

Server Cert and Trusted CA Cert

I am trying to set up EAP-TLS and have a few questions:

 

1) In a Master-Local setup, which controller do the Server and Trusted CA certs go on? APs are terminating on the Local.

2) What's the purpose of the Server and Trusted CA certs? What does the controller do with these certs, i.e. how exactly does it use them to authenticate clients?

3) I don't see the "eap-tls" option for the "Inner EAP-type" on the 802.1x profile. Do I need to upgrade code to get this option?

 

 

Moderator
cjoseph
Posts: 12,035
Registered: ‎03-29-2007

Re: Server Cert and Trusted CA Cert


arubamonkey wrote:

I am trying to set up EAP-TLS and have a few questions:

 

1) In a Master-Local setup, which controller do the Server and Trusted CA certs go on? APs are terminating on the Local.

2) What's the purpose of the Server and Trusted CA certs? What does the controller do with these certs, i.e. how exactly does it use them to authenticate clients?

3) I don't see the "eap-tls" option for the "Inner EAP-type" on the 802.1x profile. Do I need to upgrade code to get this option?

 

 


Great news!

 

You don't have to import any certificates on the controller for EAP-TLS to work.  The radius server only needs a remote access policy that has "Smartcard or other Certificate" and the client only needs a client certificate issued by the same CA.

 

 

Colin Joseph
Aruba Customer Engineering
Contributor II
arubamonkey
Posts: 56
Registered: ‎12-17-2011

Re: Server Cert and Trusted CA Cert

Well that was fast! What if I don't have a RADIUS server in this scenario?

Moderator
cjoseph
Posts: 12,035
Registered: ‎03-29-2007

Re: Server Cert and Trusted CA Cert

That involves more work.

 

Please follow the attached instructions, then.

 

Colin Joseph
Aruba Customer Engineering
Contributor II
arubamonkey
Posts: 56
Registered: ‎12-17-2011

Re: Server Cert and Trusted CA Cert

You're a lifesaver cjoseph! For the Trusted CA, the document says "This was created during the install of the MS Cert Server". What if it's not there?

 

Also, hate to badger you but can you please answer the three questions? :smileyhappy:

Moderator
cjoseph
Posts: 12,035
Registered: ‎03-29-2007

Re: Server Cert and Trusted CA Cert

When you create a CA, it installs its own Cert, automatically, at that time.  I have never seen it without one.

 

For a full explanation of certificates, please read Jon Green's 5-part Digital Certificates series in the knowledge base here:  http://community.arubanetworks.com/t5/Community-Knowledge-Base/tkb-p/tkb%40tkb

 

It will put you on the correct path.

Colin Joseph
Aruba Customer Engineering
Contributor II
arubamonkey
Posts: 56
Registered: ‎12-17-2011

Re: Server Cert and Trusted CA Cert

Do these server and trusted CA certs need to go on the Master controller or the LMS?

Moderator
cjoseph
Posts: 12,035
Registered: ‎03-29-2007

Re: Server Cert and Trusted CA Cert

Both.

Colin Joseph
Aruba Customer Engineering
Contributor II
arubamonkey
Posts: 56
Registered: ‎12-17-2011

Re: Server Cert and Trusted CA Cert

Thanks. What about the missing "eap-tls" option in "Inner EAP-type"? Would Apple devices work with the "eap-mschapv2" option?

Moderator
cjoseph
Posts: 12,035
Registered: ‎03-29-2007

Re: Server Cert and Trusted CA Cert


arubamonkey wrote:

Thanks. What about the missing "eap-tls" option in "Inner EAP-type"? Would Apple devices work with the "eap-mschapv2" option?


That option should be there.  Either clear your browser cache or use a supported browser.  If it does not appear, it is a bug and you should open a TAC case.

 

Colin Joseph
Aruba Customer Engineering