Aruba Instant & Cloud Wi-Fi

Reply
MVP
Posts: 1,412
Registered: ‎11-30-2011

IAP with local EAP-TLS SSID

was looking if this is possible: Doing EAP-TLS, so client cert authentication with only Aruba Instant, so no radius server or such.

 

some googling turned up mixed results.

 

this support document seems to indicate it is possible: http://www.arubanetworks.com/techdocs/InstantHTML/Content/Chapter11%20Authentication/AuthenticationServer.htm

 

although how remains vague.

 

then some airheads threads, here it is mentioned it isn't easy:

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-TLS-authentication/td-p/48946

 

here it mentioned twice it is possible (limitations are mentioned, but not which) but without details:

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Terminate-eap-tls-on-IAP/td-p/242330

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/EAP-TLS-termination-on-IAP/td-p/202459

 

so i started to configure it myself. first loaded a server certificate (cert / key) and a CA. then configured the SSID Security section like this.

 

Key management: WPA-2 Enterprise
Termination: Enabled
Authentication server 1: ?

 

and now i was stuck, because why do i need a Authentication server and why can't i select the Internal one if it is really needed. so i took a chance and just selected my CPPM server.

 

and it worked ... without recieving anything on the CPPM server. if i disable termination i do see the username (CN from cert) being send to CPPM, but with Termination Enabled it seems to function fine.

 

some questions:

 

1) is this how you do client certificate based authentication with an IAP only?

 

2) is the fact you need to select a Authentication server but it isn't used a known issue? the fact you can't select the EAP type might be related here, but im looking for some documentation saying this is how it should work. im using version 6.4.2.6-4.1.1.6_50009 will try a newer soonish

 

3) is it correct you can't use the internal database for WPA Enterprise SSIDs in combination with Termination?

 

4) anyone see issues with my approach, i tested with Windows, that worked, but perhaps not with others?

Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: IAP with local EAP-TLS SSID

 

You are doing it the right way.

 

The external server option when doing EAP Termination is if you are using EAP-GTC which could require you to connect to an external LDAP server.  It is still selectable if you are doing different EAP types, but it does not do anything.

 

Please see the Instant training here:  http://www.arubanetworks.com/products/networking/aruba-instant/training/instant-training/ and specifically Module 5 which discusses EAP Termination Options.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: IAP with local EAP-TLS SSID

appreciated as always cjoseph.

 

it is not the fact you can select an auth server that confused me, it is the fact you NEED to select one. even when you don't do anything with it. but i understand the need in this case as you can't predict how it will be used.

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: IAP with local EAP-TLS SSID

There is similar behavior in ClearPass as well. When doing EAP-TLS
authentication, you still have to select an authentication server.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: IAP with local EAP-TLS SSID

if you do authentication yes, but you can turn that off right? in the EAP-TLS settings. do you still need an auth server then?

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: IAP with local EAP-TLS SSID

Yes. Any 802.1X service in ClearPass requires an authentication source. In
some cases, it won't be used.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: IAP with local EAP-TLS SSID

oh and after watching the self learn it was noted that the internal database should be usable for EAP-TLS / EAP-TTLS / EAP-PEAP and LEAP. but i seemed unable to select it, did i do it wrong or ...?

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: IAP with local EAP-TLS SSID

ah, thanks cappalli, probably hit me before, but couldn't remember.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: IAP with local EAP-TLS SSID

Also keep in mind that there is a recently fixed issue in IAP code 4.2.1.1 with 1x termination. Please see below from release notes:

 

Symptom: Client devices running the Android 6.0+ or Windows 10 software were unable to connect to the 802.1x SSID of the IAP. The fix ensures that the client devices are able to connect to the 802.1x SSID.

 

Scenario: This issue occurred when 802.1x termination was enabled on the IAP and was observed in all IAPs running Instant 6.4.3.4-4.2.1.0 release.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 757
Registered: ‎03-25-2009

Re: IAP with local EAP-TLS SSID

Seth,

 

I have the samer issue on ArubaOS. Do you know of a release which fixes this for ArubaOS using the internaldb with termination active?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: