ArubaOS and Controllers

Reply
Contributor II
Posts: 72
Registered: ‎05-22-2011

EAP-TLS and dot1x termination

--------------------------------------------------------------------------------

Hi,

We are using a 3200 controller and we are using it for 802.1x termination. We have uploaded the aruba controller server certificate (1024, pem format) and the CA (we only have one CA which is the root CA in this case) certificate as the trusted CA cert.. We are using the internal database as the server group. Also we have the client cert. installed and the CA root cert in the client computer. However, we are not getting an authentication success from the controller. Do we need to place something in the internal database? I looked at the internal database and the only thing we can add in there is a username and a password which I am not sure how that works with EAP-TLS (we are using EAP-TLS). We don't have any AD, LDAP or RADIUS. Any thoughts? Thanks.
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: EAP-TLS and dot1x termination

Please see the attached document written by one of our engineers.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: EAP-TLS and dot1x termination

Thanks for the information. However, we are using an open source CA called XCA which generates the certificates. We have the CA certificate in the controller, an Aruba Cert. in the controller and a client certificate in the client all issued/signed by thesame CA we created under XCA. The XCA computer is not connected to the network. I would like to know if it's necessary to have an AD, IIS etc.? ALso, the 3200 does not have "force machine authentication". One thing I also noticed is that even if you use the aruba controller server cert. under the dot1x authentication profile, the reference value is still "0". I did some packet captures and I can see EAP-TLS request and response from the controller(AP's MAC) but I don't see an Auth. successful. Is the AD piece what's missing?
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: EAP-TLS and dot1x termination

Let me see if I can help this along.

You should generate a CSR for the controller and have it signed by XCA. Import that back into the controller using the instructions provided, if you have not done that already.

it is NOT necessary to have a radius server or AD server. The server in the document is a CA that just happens to be a Microsoft one and it is only used to issue certificates. It could easily be any other CA. The controller, as configured in the document, merely exists to allow client devices on the network whose certificates were issued by the CA that signed the certificates. Machine authentication is specific to Active Directory and should not be used in this context.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: EAP-TLS and dot1x termination


Let me see if I can help this along.

You should generate a CSR for the controller and have it signed by XCA. Import that back into the controller using the instructions provided, if you have not done that already.

it is NOT necessary to have a radius server or AD server. The server in the document is a CA that just happens to be a Microsoft one and it is only used to issue certificates. It could easily be any other CA. The controller, as configured in the document, merely exists to allow client devices on the network whose certificates were issued by the CA that signed the certificates. Machine authentication is specific to Active Directory and should not be used in this context.




Yes, I generated a CSR and imported it in XCA. The extension name of the CSR is a .txt because I just pasted it in a text file. I imported it into XCA and signed it using the CA root cert that we created. We created another certificate for the client with the signature of the root CA cert that we created. The problem I am seeing is I can import the CA root cert and the generated Aruba controller Server cert into the aruba certificate list, also I used both of them under the dot1x profile (CA Certificate drop down and Server certificate drop down). However, when I go to the list of certificates (Under Certificates tab) I can see that the CA cert is referenced once, but not the server certificate (referenced as 0). We don't have anything in our network other than the 2 switches (A and B), 1 router and 1 controller and 1 AP.
Guru Elite
Posts: 19,982
Registered: ‎03-29-2007

Re: EAP-TLS and dot1x termination

Please open a TAC case to get this sorted out. I understand what you are saying, and it should be referenced.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 6
Registered: ‎08-18-2007

Re: EAP-TLS and dot1x termination

What version of ArubaOS are you running on the 3200. You might want to try signing the CSR from the Aruba controller on your XCA Cert Authority as a 1024 bit certificate. Also to avoid having to place any entries in the local database, have a look at the TLS Guest option presented under the 802.1x Auth Profile as well.
You might also be interested in looking at 6.1.x as this version now supports OCSP for client certificate validation.
Search Airheads
Showing results for 
Search instead for 
Did you mean: