ArubaOS and Controllers

Reply
Frequent Contributor I
Posts: 83
Registered: ‎11-01-2010

How to configure an Enterprise sub-oridinate CA?

Thank you cjoseph for posting the "Step-by-Step: How to Configure Microsoft IAS Radius Server from Scratch "

I am looking to build a Enterprise Sub-oridinate CA server and am unsure how to go about building it, and then how to integrate that into the controller, do I just modify the existing Radius server group to include the sub-ordinate server and enable "fall through"?

Thanks.
-syurick
Guru Elite
Posts: 20,579
Registered: ‎03-29-2007

Re: How to configure an Enterprise sub-oridinate CA?

You are welcome.

Now when you say you are trying to make a subordinate CA, do you want to do that because you have a subdomain or some sort, and you want to authenticate those users?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎11-01-2010

Re: How to configure an Enterprise sub-oridinate CA?

single domain.

Our goal is to have redundant CA's as well as redundant Radius servers. I was thinking a Enterprise Sub-ordinate CA was the path to go, but if its not, I am open to suggestions.
Guru Elite
Posts: 20,579
Registered: ‎03-29-2007

Re: How to configure an Enterprise sub-oridinate CA?


single domain.

Our goal is to have redundant CA's as well as redundant Radius servers. I was thinking a Enterprise Sub-ordinate CA was the path to go, but if its not, I am open to suggestions.




Well if you are doing EAP-PEAP (username and password) the CA is only needed once to issue either radius server a certificate. Until that Radius server's certificate expires, the CA is pretty much out of the picture, so no real need for redundancy. If however you want to have a subordinate CA for redundancy, you can add the role to another domain controller and it will prompt you to create a CA subordinate to the initial one. (quite frankly, all but the largest shops have only one CA)

If you want another radius server, you can just add the NPS role to another server, request a certificate for it and create the same remote access policies on it, just like the instructions say.
You would also then configure the controller as a radius client on that server.

On the controller, add that radius server's entry into the server group that you are currently using, and you are done. If the first server does not answer for whatever reason, the second server in the server group will answer.

Please ask further questions, if this does not help.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎11-01-2010

Re: How to configure an Enterprise sub-oridinate CA?

We are using EAP-PEAP. There are about 30 local controllers, 1 master controller and a little over 200 AP's worldwide.

I would have to double check but I believe the certificates expire once every 5 years. It wouldn't make much sense to have multiple CA servers since we would only need to generate a new certificate once every 5 years.

Redundant Radius servers are the way to go.

What did you mean when you said "you can just add the NPS role to another server"?
Guru Elite
Posts: 20,579
Registered: ‎03-29-2007

Re: How to configure an Enterprise sub-oridinate CA?


We are using EAP-PEAP. There are about 30 local controllers, 1 master controller and a little over 200 AP's worldwide.

I would have to double check but I believe the certificates expire once every 5 years. It wouldn't make much sense to have multiple CA servers since we would only need to generate a new certificate once every 5 years.

Redundant Radius servers are the way to go.

What did you mean when you said "you can just add the NPS role to another server"?





I mean, install another radius server in your environment.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: