Controllerless Networks

Dear Community,

 

I need ot replace the inbuilt certificate on an IAP 225 cluster. The reson for this is we have some Windows 7 clients which wont connect to the wireless due to "invalid trust anchor" nonsense. We also want to eliminate the trust messgaes when iphones connect etc.

Please can anyone advise, is there a step by step guilde for requesting and installing a proper trusted certificate please? (which will work with Windows 7 clients) The organisation does not have a trusted certificate chain / authority as such I will need to request one from a trusted CA such as verisign, go daddy etc. any help would be greatly appreciated.

 

Thanks in advance

 

Are you getting those messages when you do web authentication or 802.1x authentication?

 

If it is web authentication, you need to replace the web server certificate using the procedure here:  http://www.arubanetworks.com/techdocs/Instant_42_WebHelp/InstantWebHelp.htm?_ga=1.43038629.1615771646.1440445030#UG_files/Authentication/Certificates.htm?Highlight=certificate

 

If you are having problems with 802.1x authentication and you are NOT using termination, you need to have a proper certificate on your radius server..

Thanks for your reply, the issue is with windows 7 client when they access
the wireless using 802.1x authentication using the internal authentication
server of the IAP cluster. Any instructions for generating a suitably formed
CSR, requesting and installing the certificate would be a massive help.

Question:

You have two choices:

If you have a domain you should generate a server certificate from that domain's CA.

If you do not have a domain, you will need to purchase a public SsL server certificate that all Windows clients trust to avoid that issue.

Alternatively, an insecure method is to unchecking "Validate Server Certificate" which would let you Windows clients on.

The built in certificate in Instant is not trusted. It must be replaced by a certificate that is trusted by your windows clients. That means purchasing a public certificate, or generating your own self signed certificate and configuring your clients to trust that..

Thanks for the info. Understood, but it is not clear how best to go about
this. Although there will be a domain, there will be a majority of clients
whom are not a member of the domain (not guests) so a public cert is
definitely the best way to go. My question is about how to go about the CSR,
what type of certificate request. I have a Windows server available to make
the CSR, but how? Also which public CA is best to use (from experience of
the community). e.g Go Dadddy? And of course how to implement. Thanks

So how are you authenticating users now?

 

I mean, you are using 802.1x, but are their usernames and passwords in active directory?  Are your guests also using 802.1x?

Users authenticate via 802.1x using the internal user database of the
Instant access point cluster. This is not integrated with AD via RADIUS it's
Just standalone IAP cluster.



Some users are able to access OK (Windows 10 clients, iPhones, Android and
windows phone).



Windows 7 PC throw a certificate error and are unable to join and get the .
is not configured as a valid trust anchor for this profile.. message.



Guests will use 802.1x via captive portal.



Thanks

You then have no choice but to get a public SSL certificate from GoDaddy or another public CA and upload that to the IAP, then...  If you create a self-signed certificate, you will always get errors, because none of your clients will support it.  You can create a CSR for your public certificate here: https://csrgenerator.com/ and then Godaddy or whoever will ask for a CSR. I do not endorse that website, or even Godaddy but it is one of quite a few that can be used to generate a CSR and get a public certificate.

 

Quite frankly, it is not worth it to get a public ssl certificate for 802.1x.  It is better to generate a SSL cert from your own domain's CA and then distribute that CA certificate to all clients that want to connect successfully prior to them connecting.  That will avoid the error message.

 

 

Thankyou for the information provided, for reference Aruba Support provided pointers to the follwing documentation regarding certificates for the IAP's.

 

1. To install certificates on the IAP, please see the detailed instructions below:

                http://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/Authentication/Certificates.htm

  

1. From where to get the certificate:

If you have  Windows Server , you can create cert by yourself , you will have the instructions below:

http://community.arubanetworks.com/aruba/attachments/aruba/IAP/376/1/Aruba%20Instant%20Certificate%20generation%20and%20upload%20edited.pdf

 

Moreover you could also purchase permanent certs from a well known CA such as VeriSign, GeoTrust, etc.