ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 17
Registered: ‎08-02-2011

WPA2 Enterprise/AES

Hi,

I'm trying to set up WPA2 enterprise/AES encryption and do have one question and that regards the certificates.

If needed, do I need a "legitimate" certificate or can I self generate one? We do have a AD running, but we don't have a CA in place yet and I suppose our Win2k3 server running IAS needs a certificate?

Furthermore; Do I need (At least for testing) to replace the controller certificate?

I'm not, of course, expecting an entire manual, maybe just a few pointers to get going :)

Have a pleasent day,
Tommy
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: WPA2 Enterprise/AES


Hi,

I'm trying to set up WPA2 enterprise/AES encryption and do have one question and that regards the certificates.

If needed, do I need a "legitimate" certificate or can I self generate one? We do have a AD running, but we don't have a CA in place yet and I suppose our Win2k3 server running IAS needs a certificate?

Furthermore; Do I need (At least for testing) to replace the controller certificate?

I'm not, of course, expecting an entire manual, maybe just a few pointers to get going :)

Have a pleasent day,
Tommy




- WPA2-AES-PEAP at minimum needs a certificate that all your clients trust, preferbly on the radius server
- If you don't have a CA, that is good, because nothing is depending on it, and you can create one easily. The CA can be on any domain controller; that can be its own domain controller, or the CA can be on the same server at the radius server, if you want.
- If you create a CA in AD, you don't need a certificate on the Aruba Controller.
- A step-by-step of how to do it in Windows 2008 is here: http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/ (sorry, no step by step for Windows 2003)
- If you Download the ArubaOS 6.x User guide at support.arubanetworks.com > Documentation, Appendix D says how to install IAS for Windows 2003.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎08-02-2011

Re: WPA2 Enterprise/AES

Fast and reliable as usual, Colin - Thanks a big bunch! :D
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: WPA2 Enterprise/AES

Found the IAS step by step doc. Please use the attached.

Please note that you can skip adding it to Active Directory, if the server you choose is already part of AD. You may just need to add the roles needed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎08-02-2011

Re: WPA2 Enterprise/AES

Nice, thanks again. I'm thinking on activating the CA role on our primary domain controller, since we really have no other server that's more suitable than that one. Concerns arised that how "invasive" is activating the role? When the role is activated, it shouldn't start issuing certificates "automatically" to other domain server, computers etc, correct?

We don't at the moment plan to use that CA for anything else, besides initially using it for "on-demand" certificates.

So basically - It shouldn't interfere with anything else, if I only use it to generate a certificate for the IAS? And as long as I stick to that, the role should be easily removed if the need arises?

Thoughts? Experiences?
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: WPA2 Enterprise/AES

Correct. It will only be used for what you configure it for.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎08-23-2011

Consider using machine over user certs

Hello Tommy,

We just instituted EAP-TLS / WPA2 AES for our wireless environment. We were having issues with user certs expiring every year, and our resolution to this was to use machine cert authentication only selected for our user machines. You can push this out via GPO in a 2008 domain environment, or if you are 2003 and have Win7 machines, it's a quick change in wireless properties.

(WinXP machines require a reg hack). http://support.microsoft.com/kb/929847
Just create the key, export, then push to all XP clients via GPO.

It also allows the computer to authenticate pre-signon so the users will get their mapped drives if you have any.

I know this is brief, but if you have any questions, just reply and I will help where I can.

Justin
Search Airheads
Showing results for 
Search instead for 
Did you mean: