Network Management

Reply
Occasional Contributor I

Certificate Authority For Windows Connection

We have 2 controllers as Master and Slave with different locations.

We have bought Certificate Authority for windows connection using domain which is client connect automatically without type username and password, just thick box and domain username will be appear.

We have upload Certificate Authority and implement on Master it's successful. We have upload Certificate Authority and implement on Salve also but no successful. Client cannot connected. We need your help to solve this case.

Guru Elite

Re: Certificate Authority For Windows Connection

Are you using the Captive Portal for Authentication or 802.1x for authentication?

Are you using termination?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Certificate Authority For Windows Connection

Hi Colin,

I am using 802.1x for authentication and termination.

Guru Elite

Re: Certificate Authority For Windows Connection

Did you upload your own server certificate, or are you using the one built into the controller?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Certificate Authority For Windows Connection

Hi Colin,

 

We have created using openssl from digicert and uploaded to Master Controller. It was successful and not working in Slave Controller.

Guru Elite

Re: Certificate Authority For Windows Connection

How is the slave controller configured?  Is it a local, backup master or standalone master?

 

Try to authenticate a client to the second controller and then type "show auth-tracebuf" on the commandline to see what the problem could be.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Certificate Authority For Windows Connection

Hi Colin,

 

It is Master-Master local.

(Smart-Fren_Sabang) #show auth-tracebuf

Auth Trace Buffer
-----------------
                                                                                                         
                                                                                                         
Sep 25 14:23:36  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:36  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:36  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4    
Sep 25 14:23:36  station-down           *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    
Sep 25 14:23:36  server-finish         <-  c8:21:58:26:f8:3b  04:bd:88:39:f6:50/NewIAS-802.1X  -    61   
Sep 25 14:23:38  server-finish         <-  d8:5d:e2:58:72:3b  04:bd:88:3a:04:c0/NewIAS-802.1X  -    61   
Sep 25 14:23:38  station-up             *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    wpa2 aes
Sep 25 14:23:38  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:38  eap-term-start        ->  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    -    
Sep 25 14:23:38  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:38  client-finish         ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    -    
Sep 25 14:23:38  server-finish         <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    61   
Sep 25 14:23:38  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:38  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:38  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4    
Sep 25 14:23:38  station-down           *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    
Sep 25 14:23:38  station-up             *  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0                -    -    wpa2 aes
Sep 25 14:23:38  station-term-start     *  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0                408  -    
Sep 25 14:23:38  eap-term-start        ->  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0/NewIAS-802.1X  -    -    
Sep 25 14:23:38  station-term-start     *  68:a3:c4:83:dd:90  04:bd:88:3a:05:c0                408  -    
Sep 25 14:23:38  server-finish         <-  c8:21:58:a0:5d:cf  04:bd:88:3a:0a:f0/NewIAS-802.1X  -    61   
Sep 25 14:23:38  server-finish-ack     ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    -    
Sep 25 14:23:38  inner-eap-id-req      <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    35   
Sep 25 14:23:38  inner-eap-id-resp     ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    -    WIRELESS\indry.nugraha
Sep 25 14:23:38  eap-mschap-chlg       <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    67   
Sep 25 14:23:39  eap-mschap-response   ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  7    49   
Sep 25 14:23:39  mschap-request        ->  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  7    -    WIRELESS\indry.nugraha
Sep 25 14:23:39  mschap-response       <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/IAS-SVR        -    -    WIRELESS\indry.nugraha
Sep 25 14:23:39  eap-mschap-success    <-  2c:33:7a:00:65:2f  04:bd:88:3a:04:40/NewIAS-802.1X  -    83   
Sep 25 14:23:39  station-down           *  00:28:f8:21:2a:50  04:bd:88:3a:04:d2                -    -    
Sep 25 14:23:39  station-up             *  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    -    wpa2 psk aes
Sep 25 14:23:39  wpa2-key1             <-  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    117  
Sep 25 14:23:39  wpa2-key2             ->  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    119  
Sep 25 14:23:39  wpa2-key3             <-  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    151  
Sep 25 14:23:39  wpa2-key4             ->  00:28:f8:21:2a:50  04:bd:88:3a:04:c2                -    95   
Sep 25 14:23:39  server-finish         <-  84:4b:f5:4d:b8:4f  04:bd:88:3a:03:a0/NewIAS-802.1X  -    61   
Sep 25 14:23:39  server-finish         <-  84:4b:f5:15:35:d6  04:bd:88:3a:08:a0/NewIAS-802.1X  -    61   
Sep 25 14:23:40  station-up             *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    wpa2 aes
Sep 25 14:23:40  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:40  eap-term-start        ->  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    -    
Sep 25 14:23:40  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:40  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:40  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:40  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4    
Sep 25 14:23:40  station-down           *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    
Sep 25 14:23:40  eap-failure           <-  1c:65:9d:de:d6:14  04:bd:88:3a:03:a0/NewIAS-802.1X  -    4    
Sep 25 14:23:40  station-down           *  1c:65:9d:de:d6:14  04:bd:88:3a:03:a0                -    -    
Sep 25 14:23:40  server-finish         <-  e4:a4:71:f3:44:ea  70:3a:0e:3b:0d:b0/NewIAS-802.1X  -    61   
Sep 25 14:23:40  eap-failure           <-  c8:21:58:16:17:46  04:bd:88:3a:05:c0/NewIAS-802.1X  -    4    
Sep 25 14:23:41  station-down           *  c8:21:58:16:17:46  04:bd:88:3a:05:c0                -    -    
Sep 25 14:23:41  station-up             *  c8:21:58:16:17:46  04:bd:88:3a:05:d0                -    -    wpa2 aes
Sep 25 14:23:41  station-term-start     *  c8:21:58:16:17:46  04:bd:88:3a:05:d0                408  -    
Sep 25 14:23:41  eap-term-start        ->  c8:21:58:16:17:46  04:bd:88:3a:05:d0/NewIAS-802.1X  -    -    
Sep 25 14:23:41  station-term-start     *  c8:21:58:16:17:46  04:bd:88:3a:05:d0                408  -    
Sep 25 14:23:41  client-finish         ->  c8:21:58:16:17:46  04:bd:88:3a:05:d0/NewIAS-802.1X  -    -    
Sep 25 14:23:41  server-finish         <-  c8:21:58:16:17:46  04:bd:88:3a:05:d0/NewIAS-802.1X  -    61   
Sep 25 14:23:41  server-finish         <-  84:4b:f5:b0:ff:c3  70:3a:0e:3b:06:80/NewIAS-802.1X  -    61   
Sep 25 14:23:41  station-term-end       *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50/NewIAS-802.1X  43   -    failure
Sep 25 14:23:41  station-down           *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                -    -    
Sep 25 14:23:41  server-finish         <-  d0:57:7b:07:cc:0e  04:bd:88:3a:04:90/NewIAS-802.1X  -    61   
Sep 25 14:23:41  station-up             *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                -    -    wpa2 aes
Sep 25 14:23:41  station-term-start     *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                408  -    
Sep 25 14:23:41  eap-term-start        ->  c8:21:58:9e:0a:70  04:bd:88:3a:04:50/NewIAS-802.1X  -    -    
Sep 25 14:23:41  station-term-start     *  c8:21:58:9e:0a:70  04:bd:88:3a:04:50                408  -    
Sep 25 14:23:41  station-up             *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                -    -    wpa2 aes
Sep 25 14:23:41  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:41  eap-term-start        ->  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    -    
Sep 25 14:23:41  station-term-start     *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50                408  -    
Sep 25 14:23:41  server-finish         <-  c8:21:58:26:f8:3b  04:bd:88:39:f6:50/NewIAS-802.1X  -    61   
Sep 25 14:23:42  station-tls-alert   *     e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  48   2    failure
Sep 25 14:23:42  station-term-end       *  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  1    -    failure
Sep 25 14:23:42  eap-failure           <-  e4:42:a6:1b:fd:c8  04:bd:88:39:f6:50/NewIAS-802.1X  -    4   

Guru Elite

Re: Certificate Authority For Windows Connection

Is this a Windows client that you are having problems with?  Did you try a mobile client?  If it is Windows, the client would have to be configured manually.  Windows does not easily automatically connect to a 802.1x SSID the first time unless it is preconfigured.

 

Again, we would have to see details on how you installed that Certificate onto the controller and how you installed the CA to the client to understand what could be going wrong.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Certificate Authority For Windows Connection

Hi Colin,

 

We have got problem only on Windows client. Mobile and linux client no problem.

Herewith how to upload certifcate on controller.

Configuration > Management > Certificates > Upload:

Upload the root, intermediate and server certificate, selecting the type under "Certificate Type".

We do not installed any CA on client.

Guru Elite

Re: Certificate Authority For Windows Connection

The only thing I can think of is that you should have uploaded the certificate as the same "Name" on the master and local, otherwise the controller will not reference it in the configuration.  In the 802.1x profile, you can determine which certificate is used.  That name should have been the same when you uploaded it to the local controller, otherwise it might be using the built-in certificate.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: