Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 9
Registered: ‎11-06-2012

Terminate eap-tls on IAP?

Is it possible to terminate eap-tls on an IAP's virtual controller like you can with a mobility controller, or is that not supported yet?

 

Thanks in advance for any help!

 

 

Occasional Contributor I
Posts: 9
Registered: ‎11-06-2012

Re: Terminate eap-tls on IAP?

I think I found the answer:

 

Supported EAP Authentication Frameworks
The following EAP authentication frameworks are supported in the Instant network:
l EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the
termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual
Controller (the client certificate must be signed by a known CA), before the username is verified on the
authentication server.
Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: Terminate eap-tls on IAP?

HI,

 

yes it is supported but with certain limitation.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Occasional Contributor I
Posts: 9
Registered: ‎11-06-2012

Re: Terminate eap-tls on IAP?

What are the limitations?
Guru Elite
Posts: 7,835
Registered: ‎09-08-2010

Re: Terminate eap-tls on IAP?

I believe EAP-TLS on Instant requires an external RADIUS server.

 

From the user guide:

IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the IAP and the authentication servers.

Instant allows Extensible Authentication Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAPGTC)and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2(PEAP-MSCHAV2). PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol(LDAP) server and external RADIUS server while PEAP-MSCHAV2 allows authorization against an external RADIUS server.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 9
Registered: ‎11-06-2012

Re: Terminate eap-tls on IAP?

[ Edited ]

I only need to authenticate using the cert - not cert plus username/password.  If the IAP controller can terminate EAP-TLS and do that part of the authentication, then I wouldn't see a need for an external auth server.  Theoretically, this should work, and I know it works on a mobility controller.

 

Based on what I posted earlier, it sounds like it should work on an IAP.  I just wish I had one in front of me to test.

 

EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual Controller (the client certificate must be signed by a known CA), before the username is verified on the
authentication server.

 

Since the client will be configured to pass the cert to the IAP, I don't see why it wouldn't be able to authenticate cert without talking to an external radius server and then allow the client on the network.  Again, I have this working on a mobility controller, so I assume there would be no technical reason why it wouldn't work, unless the IAP's are hard coded to only do EAP-TLS cert auth with radius username/password auth following it.

 

What do you think?

Occasional Contributor I
Posts: 9
Registered: ‎11-06-2012

Re: Terminate eap-tls on IAP?

Hey - also, what if we were to point the radius server to the internal radius server?  Could we do it then?

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Terminate eap-tls on IAP?

for future reference, it is possible, settings are discused here.

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-with-local-EAP-TLS-SSID/m-p/255467/

 

you don't require an external (or internal) user datase.

Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: Terminate eap-tls on IAP?

I need to auth TLS with LDAP on the back end.  So I need to terminate, then check the CN against my ldap server.  I don't think that works still.

 

I ended up going with a 7005 controller for this site.  It is about the same size/cost of an AP anyway, so no big deal.

Search Airheads
Showing results for 
Search instead for 
Did you mean: