ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 43
Registered: ‎02-14-2008

Only user certificates and auth on windows mobile?

Hi All,

We've been migrating to EAP-TLS for our laptop users. I've got 25 Windows Mobile PDAs that will be joining the network soon and I'd rather not use preshared keys. I was hoping to utilise EAP-TLS but from what I can tell it is only possible to have user certs on these devices. We don't want to enroll or issue certs to our users and on these particular PDAs everything will be locked down to just one web based application.

Can anyone offer advice or personal experience on the best approach to take please?

Thanks
Jason
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Only user certificates and auth on windows mobile?

Hi Jason,

I'm not completely clear on the certificate issue, are you talking about device level certificates that you can't import? It wasn't clear to me from googling around how robust the windows mobile support for EAP-TLS really is.

If you had to go the PSK route my recommendation would be to create an alias for the servers you need to access (in case you want to change them later). In the firewall policy lock down the PDA role to only allow the PDAs to connect to that server alias via HTTP, or better yet, HTTPS with some sort of user authentication before they can access the application. You would need to allow a few other services such as ICMP, DNS, DHCP, etc. At the end of the policy you could then specify an 'any-any-blacklist' policy, so if the device tries to do something you don't want them doing they can be taken off the network.

This should give you the peace of mind that even if your PSK key is discovered you still have HTTPS between the client server, and trying to go to other sites results in the device being removed from the network.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor II
Posts: 43
Registered: ‎02-14-2008

Re: Only user certificates and auth on windows mobile?

Thanks Andy

Yep, device level certs. It seems that PDAs can't enroll a machine cert and the only type of certificate you can use on them is personal user certs. These require the user to enroll beforehand and also enter domain credentials, both of which would create a support nightmare. (Different users will be picking up different PDAs throughout the day).

I've now got WPA2-PSK-AES working with a tied down policy but still feel a little nervous that we're not authenticating users to a device. I'll have to raise it internally and asses the risk versus support.
Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Captive Portal

Jason,

You could also make the initial role a captive portal role, like logon, and make the user authenticate with a username and password. That way, the device traffic will be protected, but you will also know the user on that device, and be able to enforce user-based policies....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 43
Registered: ‎02-14-2008

Re: Only user certificates and auth on windows mobile?

Colin, how would that work with a PDA which is locked down to only bring up a web kiosk accessing a specific web server?

Also can users easily logout of a captive portal session when handing the PDA to another person?
Guru Elite
Posts: 21,499
Registered: ‎03-29-2007

Logging out, etc

Jason,

I didn't know that it was locked down to a specific webpage. Captive Portal would redirect users to a login page, but since that would not be the same URL as your application it would not work. I'm not sure how windows mobile handles popups, but the captive portal provides a "logout" popup that you would be able to use to logout.

Like AWL says, you can have an inital role when users connect to the WPA2-PSK SSID that locks down their traffic to only the locations, using the protocols, at the times you want. What I was mentioning above would allow you to know the user who logged into the device.

Distributing certs, however, is a nightmare....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 43
Registered: ‎02-14-2008

Re: Only user certificates and auth on windows mobile?

Ok, thanks Colin. Its something I might investigate whilst rolling them out with firewall policies initially.
Search Airheads
Showing results for 
Search instead for 
Did you mean: