Controllerless Networks

last person joined: yesterday 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP with local EAP-TLS SSID

This thread has been viewed 4 times

  • 1.  IAP with local EAP-TLS SSID

    Posted Dec 30, 2015 02:39 AM

    was looking if this is possible: Doing EAP-TLS, so client cert authentication with only Aruba Instant, so no radius server or such.

     

    some googling turned up mixed results.

     

    this support document seems to indicate it is possible: http://www.arubanetworks.com/techdocs/InstantHTML/Content/Chapter11%20Authentication/AuthenticationServer.htm

     

    although how remains vague.

     

    then some airheads threads, here it is mentioned it isn't easy:

    http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-TLS-authentication/td-p/48946

     

    here it mentioned twice it is possible (limitations are mentioned, but not which) but without details:

    http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Terminate-eap-tls-on-IAP/td-p/242330

    http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/EAP-TLS-termination-on-IAP/td-p/202459

     

    so i started to configure it myself. first loaded a server certificate (cert / key) and a CA. then configured the SSID Security section like this.

     

    Key management: WPA-2 Enterprise
    Termination: Enabled
    Authentication server 1: ?

     

    and now i was stuck, because why do i need a Authentication server and why can't i select the Internal one if it is really needed. so i took a chance and just selected my CPPM server.

     

    and it worked ... without recieving anything on the CPPM server. if i disable termination i do see the username (CN from cert) being send to CPPM, but with Termination Enabled it seems to function fine.

     

    some questions:

     

    1) is this how you do client certificate based authentication with an IAP only?

     

    2) is the fact you need to select a Authentication server but it isn't used a known issue? the fact you can't select the EAP type might be related here, but im looking for some documentation saying this is how it should work. im using version 6.4.2.6-4.1.1.6_50009 will try a newer soonish

     

    3) is it correct you can't use the internal database for WPA Enterprise SSIDs in combination with Termination?

     

    4) anyone see issues with my approach, i tested with Windows, that worked, but perhaps not with others?



  • 2.  RE: IAP with local EAP-TLS SSID
    Best Answer

    EMPLOYEE
    Posted Dec 30, 2015 07:54 AM

     

    You are doing it the right way.

     

    The external server option when doing EAP Termination is if you are using EAP-GTC which could require you to connect to an external LDAP server.  It is still selectable if you are doing different EAP types, but it does not do anything.

     

    Please see the Instant training here:  http://www.arubanetworks.com/products/networking/aruba-instant/training/instant-training/ and specifically Module 5 which discusses EAP Termination Options.

     



  • 3.  RE: IAP with local EAP-TLS SSID

    Posted Dec 30, 2015 01:02 PM

    appreciated as always cjoseph.

     

    it is not the fact you can select an auth server that confused me, it is the fact you NEED to select one. even when you don't do anything with it. but i understand the need in this case as you can't predict how it will be used.



  • 4.  RE: IAP with local EAP-TLS SSID

    EMPLOYEE
    Posted Dec 30, 2015 01:04 PM
    There is similar behavior in ClearPass as well. When doing EAP-TLS
    authentication, you still have to select an authentication server.


  • 5.  RE: IAP with local EAP-TLS SSID

    Posted Dec 30, 2015 01:09 PM

    if you do authentication yes, but you can turn that off right? in the EAP-TLS settings. do you still need an auth server then?



  • 6.  RE: IAP with local EAP-TLS SSID

    EMPLOYEE
    Posted Dec 30, 2015 01:10 PM
    Yes. Any 802.1X service in ClearPass requires an authentication source. In
    some cases, it won't be used.


  • 7.  RE: IAP with local EAP-TLS SSID

    Posted Dec 30, 2015 01:12 PM

    oh and after watching the self learn it was noted that the internal database should be usable for EAP-TLS / EAP-TTLS / EAP-PEAP and LEAP. but i seemed unable to select it, did i do it wrong or ...?



  • 8.  RE: IAP with local EAP-TLS SSID

    Posted Dec 30, 2015 01:12 PM

    ah, thanks cappalli, probably hit me before, but couldn't remember.



  • 9.  RE: IAP with local EAP-TLS SSID

    EMPLOYEE
    Posted Dec 30, 2015 02:35 PM

    Also keep in mind that there is a recently fixed issue in IAP code 4.2.1.1 with 1x termination. Please see below from release notes:

     

    Symptom: Client devices running the Android 6.0+ or Windows 10 software were unable to connect to the 802.1x SSID of the IAP. The fix ensures that the client devices are able to connect to the 802.1x SSID.

     

    Scenario: This issue occurred when 802.1x termination was enabled on the IAP and was observed in all IAPs running Instant 6.4.3.4-4.2.1.0 release.



  • 10.  RE: IAP with local EAP-TLS SSID

    MVP
    Posted Jan 04, 2016 11:36 AM

    Seth,

     

    I have the samer issue on ArubaOS. Do you know of a release which fixes this for ArubaOS using the internaldb with termination active?



  • 11.  RE: IAP with local EAP-TLS SSID

    Posted Jan 04, 2016 01:17 PM

    is that the TLS 1.2 issue? that is fixed in 6.4.

     

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/EAP-TLS-1-2/td-p/243380

     

    btw: for me internal db isn't an option with Instant, although the self learning slides say it should be.



  • 12.  RE: IAP with local EAP-TLS SSID

    Posted Jan 23, 2019 04:59 AM

    Hi guys,

       i'm trying this configuration with an IAP335 with AoS 8.3, I cannot find the "termination" option inside the authentication menù, where I can find it?

     

    thanks