04-18-2012 02:29 PM
We have a Windows pki infrastructure here (internal certificate authority) that is works for internal authentication. We have working radius servers (2) that are hosted on domain controllers. Our IAP-105's work fine (as far as authenticating users and computers who are placed in the appropriate groups. Auto enrollment seems to be fine. When a laptop connects to the IAP which hosts the virtual controller that computer attaches to the secured wifi just fine and just as the group policy has dictated. If an enabled user logs in he or she gets their drive mappings, etc. and is able to work. The non hosting APs do not behave this way. If we reassign the VC then the new VC IAP then works perfectly well and the non hosting AP does not. (I also want to say that the guest network works great for all APs.
My question is: in this Windows pki environment do we still need to load the both the cacert.pem file (CA) and the instantservercert.pem file? We actually had to create the server cert on the Windows CA server and upload the .pfx file onto the Aruba IAP-105. We still have the cacert.pem file on there. Do we really need this or is this the reason that the non-VC hosting APs will not complete authentication?Since we have a CA server is the cacert.pem file redundant?
If this is the case could we just remove all the certs and then just upload the server cert? Is the self signed cacert that was created on a linux box confusing the other APs when they try to get back to our radius boxes?
Either way. How do we wipe out the currently loaded certs without blowing away all the rest of the config for the IAP-105s. We are at wits end and really need to have a working multi AP wifi running....last week!
As I stated in my other post, I am new to certificates...though learning more daily! ;-)
04-19-2012 04:59 PM
Update: at the request of Aruba support I have taken two unused IAPs and set them up with the same settings as our existing IAPs. The ONLY difference is that the new set up has NO certs installed on the IAP-105s. We are seeing exactly the same behavior. If a laptop is near the IAP that hosts the virtual controller it will grab the employee wifi settings, authenticate, mapped drives show up and are accessible, etc. If I turn off the same computer move to near the other IAP all I see is a constant "attempting to authenticate" message in Windows wireless network settings (from the taskbar). This now appears to be a radius to IAP issue but only on the non VC hosting IAPs. It certainly appears that our pki infrastructure and cert auto enrollment wireless GPO's are working.
The computers that cannot authenticate are being handed the internal Microsoft IP addresses on the wireless adapters (169.x.x.x). So whatever is occurring is also preventing communication with out dhcp server which makes sense since the computers are not being granted access to the domain from the slave IAP's.
05-08-2012 06:34 AM