What is the CA-Certificate requirement for EAP-TLS authentication with termination enabled in the controller?

Aruba Employee

Answer :

 

Pre AOS 6.1, intermediate or root CA certificate can be used as CA-Certificate for client certificate verification.

Starting from AOS 6.2, only root CA certificate can be used as CA-Certificate for client certificate verification.

Below is the sample output of show auth-tracebuf when intermediate CA certificate is used as CA-Certificate in AOS 6.2 and above.

show auth-tracebuf mac 3c:a9:f4:3d:d3:20

Jun 13 17:23:00  station-down           *  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a0                                        -     -     
Jun 13 17:23:04  station-up             *  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8                                        -     -     wpa2 aes
Jun 13 17:23:04  station-term-start     *  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8                                        1     -     
Jun 13 17:23:04  eap-term-start        ->  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8/dot1x_prof-ctg54                       -     -     
Jun 13 17:23:04  station-term-start     *  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8                                        1     -     
Jun 13 17:23:07  client-cert           ->  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8/dot1x_prof-ctg54                       1477  3300  
Jun 13 17:23:07  client-cert           ->  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8/dot1x_prof-ctg54                       1486  3300  
Jun 13 17:23:07  client-cert           ->  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8/dot1x_prof-ctg54                       337   3300  
Jun 13 17:23:07  client-finish         ->  3c:a9:f4:3d:d3:20  00:24:6c:80:74:a8/dot1x_prof-ctg54                       -     -     client cert verification failed     


In the show log errorlog, we can see the below message

Jun 13 17:23:07  authmgr[2386]: <132200> <ERRS> |authmgr|  Received TLS Client Finish but the client certificate 3c:a9:f4:3d:d3:2000:24:6c:80:74:a8 is not verified

While upgrading from Pre AOS 6.1 to 6.2 & above, consider changing the CA-Cerificate to Root CA if intermediate CA is used for client cerificate verification or if the CA-Certificate has chained with Root and intermediate CA then the client certificate verification will be successful.

Note : This applies only if the termination is enabled in the Aruba Controller.

Version history
Revision #:
1 of 1
Last update:
‎09-19-2014 05:40 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: