ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Wildcard certificates for controller?

We are in the early stages of deployment of a campus WLAN using a 6000 controller and ~120 APs to start with. As we have several certificates for web services, we are looking to consolidate and purchase a wildcard certificate, which Geotrust/RapidSSL has for under $200/year. I am running a demo RapidSSL cert on the controller now, but it appears I cannot create a CSR using *.domain.ca as suggested by RapidSSL. Has anyone successfully used a domain wildcard cert on their controller, and if so how?

Thanks.
Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Wildcard certificates for controller?

I just did this recently. I used the OpenSSL tools to create a private key for *... Then used OpenSSL tools again to create the csr for the key.

Once you get the certificate include it with the private key in a file and upload to the controller.

Wildcard certs work fine for captive portal, but they will not work for 802.1x, specifically with windows clients. This caught me by surprise.

Travis
Guru Elite
Posts: 20,417
Registered: ‎03-29-2007

Wildcard Certificates


I just did this recently. I used the OpenSSL tools to create a private key for *... Then used OpenSSL tools again to create the csr for the key.

Once you get the certificate include it with the private key in a file and upload to the controller.

Wildcard certs work fine for captive portal, but they will not work for 802.1x, specifically with windows clients. This caught me by surprise.

Travis




Do the certificates work when you terminate them on the Radius Server?

If you do not require certs on the controller, that could be a legitimate option.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Wildcard certificates for controller?


Do the certificates work when you terminate them on the Radius Server?

If you do not require certs on the controller, that could be a legitimate option.




No this is a specific issue for windows clients - specifically the EAPHost process on windows will not accept a wildcard cert.
Observed behavior is: Windows Client OS will prompt for login info - but doesn't accept the cert so the PEAP tunnel is never made.. no successful login... system retries... rinse/repeat...etc

Same issue if the wildcard cert is installed on the the radius server - and its not specific to wireless - happens for wired 802.1x using PEAP as well.

Macos X and iphone clients accept the wildcard cert and will authenticate.

Does not appear to be a well documented issue other than here:
http://technet.microsoft.com/en-gb/cc730460.aspx
But not mentioned as a requirement here:
http://support.microsoft.com/kb/814394

I know long response - but this created a headache for me and just want to put the info I found out the hard way out for any others to hopefully benefit from.
Guru Elite
Posts: 20,417
Registered: ‎03-29-2007

No Wildcard Certs...Ever..

So the lesson is "Stay Away from Wildcard Certs"?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Wildcard certificates for controller?

Yes
...at least for 802.1x auth using peap-mschapv2 with windows clients
Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Re: Wildcard certificates for controller?


Yes
...at least for 802.1x auth using peap-mschapv2 with windows clients




Thank you, this is exactly what I needed to know, and is reason enough to avoid wildcard certs for us.
Contributor I
Posts: 50
Registered: ‎04-29-2008

Wildcard + Root cert

Our wildcard certs are from Digicert which requires a root cert from Digicert be installed also. Any ideas on how to do this? Our original cert was standard variety. Now management wants the cheap route.

Cisco ASA has a facility for this.

We are only using them for the captive portal.
Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Wildcard certificates for controller?

I think you just need to add the root cert to the top of your wildcart cert and load it on the controller. I believe this worked when I was testing with some ipsca certs - that needed a cert chain to be accepted as valid by clients.

ie create a .pem file with



and upload to the controller




Our wildcard certs are from Digicert which requires a root cert from Digicert be installed also. Any ideas on how to do this? Our original cert was standard variety. Now management wants the cheap route.

Cisco ASA has a facility for this.

We are only using them for the captive portal.


Contributor I
Posts: 50
Registered: ‎04-29-2008

Re: Wildcard certificates for controller?

Sounds like fun...
Search Airheads
Showing results for 
Search instead for 
Did you mean: