Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

EAP-TLS termination on IAP

This thread has been viewed 5 times

  • 1.  EAP-TLS termination on IAP

    Posted Sep 17, 2014 08:57 AM
      |   view attached

    Dear,

     

    One of our customers has many controllers on ships, and they do authentication by means of a certificate (EAP-TLS). Since the controllers don't have access to the NPS server continiously, they are using a certificate that is created by means of a CSR on the controller with a valid CA cert which is also uploaded to the controller.

    We configured this with help of the document attached that I once found (see page15).

     

    Now they want to do the same with IAPs that are configured via an Airwave Server. How to request a CSR on an IAP? and how to upload afterwards the CA certificate and the server-certificate like we have done on the controller? Or isn't this possible?

     

    Kind regards,

    Attachment(s)

    docx
    EAP-TLS Termination-2-2.docx   2.11 MB 1 version


  • 2.  RE: EAP-TLS termination on IAP

    Posted Sep 17, 2014 03:39 PM

    Hi, 

    It is pretty common config. You have to create Server Certificate on your CA (as for regular controller). You need CA cert as well. Then you have to upload them to AirWave and select in group configuration for every Instant. For TLS you need accurate clock settings - bear in mind that IAPs have no RTC w/battery backup so NTP is mandatory. 

    HTH, 

    Marek 



  • 3.  RE: EAP-TLS termination on IAP

    Posted Oct 09, 2014 05:09 AM

    Hello Marek,

     

    I am sorry for my late reply, but I was too occupied last 2 weeks to investigate this further.

    I managed to create a server certificate and I also exported my CA cert. After that I managed to upload these in to Airwave and assign them to the Group that is managing the IAP Virtual Controller. So far so good.

    Now I tried to set up a network which is doing EAP-TLS. I assume (because I wont have access to my radius server) that I should terminate on the Virtual Controller. And that I should authenticate via WPA2-Enterprise against the internal DB? But if I choose the WPA2-Enterprise, I have to create an external radius entry on the AP.

    How can I choose to use the certificates that I pushed to the VC for the autentication?

     

    Kind regards,



  • 4.  RE: EAP-TLS termination on IAP
    Best Answer

    Posted Dec 30, 2015 01:05 PM

    for future reference, it is possible, settings are discused here.

     

    http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-with-local-EAP-TLS-SSID/m-p/255467/

     

    i believe you can't select specific certs, you just load the ones you need. how this works with multiple i don't know but i think it isn't possible.