---

arubamonkey wrote:

I am trying to set up EAP-TLS and have a few questions:

 

1) In a Master-Local setup, which controller do the Server and Trusted CA certs go on? APs are terminating on the Local.

2) What's the purpose of the Server and Trusted CA certs? What does the controller do with these certs, i.e. how exactly does it use them to authenticate clients?

3) I don't see the "eap-tls" option for the "Inner EAP-type" on the 802.1x profile. Do I need to upgrade code to get this option?

 

 

---

Great news!

You don't have to import any certificates on the controller for EAP-TLS to work.  The radius server only needs a remote access policy that has "Smartcard or other Certificate" and the client only needs a client certificate issued by the same CA.

Well that was fast! What if I don't have a RADIUS server in this scenario?

You're a lifesaver cjoseph! For the Trusted CA, the document says "This was created during the install of the MS Cert Server". What if it's not there?

Also, hate to badger you but can you please answer the three questions?

When you create a CA, it installs its own Cert, automatically, at that time.  I have never seen it without one.

For a full explanation of certificates, please read Jon Green's 5-part Digital Certificates series in the knowledge base here:  http://community.arubanetworks.com/t5/Community-Knowledge-Base/tkb-p/tkb%40tkb

It will put you on the correct path.

Do these server and trusted CA certs need to go on the Master controller or the LMS?

Both.

Thanks. What about the missing "eap-tls" option in "Inner EAP-type"? Would Apple devices work with the "eap-mschapv2" option?

---

arubamonkey wrote:

Thanks. What about the missing "eap-tls" option in "Inner EAP-type"? Would Apple devices work with the "eap-mschapv2" option?

---

That option should be there.  Either clear your browser cache or use a supported browser.  If it does not appear, it is a bug and you should open a TAC case.