Controllerless Networks

Reply
Frequent Contributor I
Posts: 86
Registered: ‎10-15-2012

EAP-TLS termination on IAP

Dear,

 

One of our customers has many controllers on ships, and they do authentication by means of a certificate (EAP-TLS). Since the controllers don't have access to the NPS server continiously, they are using a certificate that is created by means of a CSR on the controller with a valid CA cert which is also uploaded to the controller.

We configured this with help of the document attached that I once found (see page15).

 

Now they want to do the same with IAPs that are configured via an Airwave Server. How to request a CSR on an IAP? and how to upload afterwards the CA certificate and the server-certificate like we have done on the controller? Or isn't this possible?

 

Kind regards,

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I
Posts: 97
Registered: ‎04-13-2009

Re: EAP-TLS termination on IAP

Hi, 

It is pretty common config. You have to create Server Certificate on your CA (as for regular controller). You need CA cert as well. Then you have to upload them to AirWave and select in group configuration for every Instant. For TLS you need accurate clock settings - bear in mind that IAPs have no RTC w/battery backup so NTP is mandatory. 

HTH, 

Marek 

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
Frequent Contributor I
Posts: 86
Registered: ‎10-15-2012

Re: EAP-TLS termination on IAP

Hello Marek,

 

I am sorry for my late reply, but I was too occupied last 2 weeks to investigate this further.

I managed to create a server certificate and I also exported my CA cert. After that I managed to upload these in to Airwave and assign them to the Group that is managing the IAP Virtual Controller. So far so good.

Now I tried to set up a network which is doing EAP-TLS. I assume (because I wont have access to my radius server) that I should terminate on the Virtual Controller. And that I should authenticate via WPA2-Enterprise against the internal DB? But if I choose the WPA2-Enterprise, I have to create an external radius entry on the AP.

How can I choose to use the certificates that I pushed to the VC for the autentication?

 

Kind regards,

Thomas
ACMX#370 ACCP

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: EAP-TLS termination on IAP

for future reference, it is possible, settings are discused here.

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-with-local-EAP-TLS-SSID/m-p/255467/

 

i believe you can't select specific certs, you just load the ones you need. how this works with multiple i don't know but i think it isn't possible.

Search Airheads
Showing results for 
Search instead for 
Did you mean: