12-29-2015 11:38 PM
was looking if this is possible: Doing EAP-TLS, so client cert authentication with only Aruba Instant, so no radius server or such.
some googling turned up mixed results.
this support document seems to indicate it is possible: http://www.arubanetworks.com/techdocs/InstantHTML/Content/Chapter11%20Authentication/AuthenticationServer.htm
although how remains vague.
then some airheads threads, here it is mentioned it isn't easy:
here it mentioned twice it is possible (limitations are mentioned, but not which) but without details:
so i started to configure it myself. first loaded a server certificate (cert / key) and a CA. then configured the SSID Security section like this.
Key management: WPA-2 Enterprise
Authentication server 1: ?
and now i was stuck, because why do i need a Authentication server and why can't i select the Internal one if it is really needed. so i took a chance and just selected my CPPM server.
and it worked ... without recieving anything on the CPPM server. if i disable termination i do see the username (CN from cert) being send to CPPM, but with Termination Enabled it seems to function fine.
1) is this how you do client certificate based authentication with an IAP only?
2) is the fact you need to select a Authentication server but it isn't used a known issue? the fact you can't select the EAP type might be related here, but im looking for some documentation saying this is how it should work. im using version 220.127.116.11-18.104.22.168_50009 will try a newer soonish
3) is it correct you can't use the internal database for WPA Enterprise SSIDs in combination with Termination?
4) anyone see issues with my approach, i tested with Windows, that worked, but perhaps not with others?
Solved! Go to Solution.
12-30-2015 04:53 AM
You are doing it the right way.
The external server option when doing EAP Termination is if you are using EAP-GTC which could require you to connect to an external LDAP server. It is still selectable if you are doing different EAP types, but it does not do anything.
Please see the Instant training here: http://www.arubanetworks.com/products/networking/aruba-instant/training/instant-training/ and specifically Module 5 which discusses EAP Termination Options.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
12-30-2015 10:02 AM
appreciated as always cjoseph.
it is not the fact you can select an auth server that confused me, it is the fact you NEED to select one. even when you don't do anything with it. but i understand the need in this case as you can't predict how it will be used.
12-30-2015 10:03 AM
12-30-2015 10:09 AM
12-30-2015 10:11 AM
oh and after watching the self learn it was noted that the internal database should be usable for EAP-TLS / EAP-TTLS / EAP-PEAP and LEAP. but i seemed unable to select it, did i do it wrong or ...?
12-30-2015 11:35 AM
Also keep in mind that there is a recently fixed issue in IAP code 22.214.171.124 with 1x termination. Please see below from release notes:
Symptom: Client devices running the Android 6.0+ or Windows 10 software were unable to connect to the 802.1x SSID of the IAP. The fix ensures that the client devices are able to connect to the 802.1x SSID.
Scenario: This issue occurred when 802.1x termination was enabled on the IAP and was observed in all IAPs running Instant 126.96.36.199-188.8.131.52 release.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
01-04-2016 08:35 AM
I have the samer issue on ArubaOS. Do you know of a release which fixes this for ArubaOS using the internaldb with termination active?
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.