Controllerless Networks

Reply
Aruba
Posts: 1,296
Registered: ‎08-29-2007

IAP and different dot1x auth on different ssids

Hi,

 

I know the user guide says

 

Server Cert = TLS

CA & Server cert = EAP + TTLS

 

but is it possible to have TLS on one ssid and TTLS on another?

 

What exactly do I need to upload for EAP-PEAP (MSCHAPv2).  It is mentioned in the User Guide, but doesn't make clear exactly what is needed to have that method.

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: IAP and different dot1x auth on different ssids


Michael_Clarke wrote:

Hi,

 

I know the user guide says

 

Server Cert = TLS

CA & Server cert = EAP + TTLS

 

but is it possible to have TLS on one ssid and TTLS on another?

 

What exactly do I need to upload for EAP-PEAP (MSCHAPv2).  It is mentioned in the User Guide, but doesn't make clear exactly what is needed to have that method.

 

Thanks


If you just have the Certificate on the Radius Server, you do not need to upload ANYTHING to Instant.

 

You can have TLS on one SSID and TTLS on another if you do what I mentioned above.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: IAP and different dot1x auth on different ssids

[ Edited ]

Thank Colin,

 

This certificate stuff always confuses me, but


cjoseph wrote:

Michael_Clarke wrote:

Hi,

 

I know the user guide says

 

Server Cert = TLS

CA & Server cert = EAP + TTLS

 

but is it possible to have TLS on one ssid and TTLS on another?

 

What exactly do I need to upload for EAP-PEAP (MSCHAPv2).  It is mentioned in the User Guide, but doesn't make clear exactly what is needed to have that method.

 

Thanks


If you just have the Certificate on the Radius Server, you do not need to upload ANYTHING to Instant.

 

You can have TLS on one SSID and TTLS on another if you do what I mentioned above.

 


What about EAP-PEAP?

What about the CA Cert, do I need that?

 

So with nothing uploaded, a client from a controller site can turn up at this instant site and connect without doing anything to their settings?  Obviously same ssid, radius server etc.

 

Thanks

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: IAP and different dot1x auth on different ssids

To clarify, your the three options you presented:

 

PEAP-MSCHAPv2 - Certificate on RADIUS server only

EAP-TLS - Certificate on RADIUS Server and Client

EAP-TTLS -  Certificate on RADIUS Server only; similar to PEAP (EAP-TTLS is not supported on Windows XP or 7 without an additional supplicant, MIcrosoft has added it in Windows 8)

 

On the IAP (or controller if it controller based), the SSID is setup as WPA2-Enterprise, the authentication types are not relevant (unless terminating the tunnel).   The RADIUS server is the one that will determine who has access based on policies and supported authentication types; EAP-TTLS, EAP-TLS, etc.....

 

You may need to setup multiple RADIUS server entries with differing NAS Identifiers for each SSID to differentiate the request coming from the IAPs.....that way the RADIUS server can determine which SSID the client is connecting from.   If you have ClearPass or another RADIUS server that can import Aruba VSAs, you can use the Aruba-Essid-Name attribute to see the SSID name in the RADIUS request.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: IAP and different dot1x auth on different ssids

yep, think I got it.

 

If only Colin's statement "If you just have the Certificate on the Radius Server, you do not need to upload ANYTHING to Instant." was actually in the User Guide.

 

Thanks again.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 21,543
Registered: ‎03-29-2007

Re: IAP and different dot1x auth on different ssids

Michael,

In general you do not have to upload anything to any NAS device like a controller or IAP hat sits between a client and a radius server. EAP types are configured on the radius server and the client. The NAS device in general is just a gatekeeper that allows the client on the network after a positive response from a radius server.

There are ways and reasons to upload a certificate to a co troller or IAP for 802.1x but they are purely optional.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: