Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II
Posts: 37
Registered: ‎05-25-2011

Security options with WifiCfg

I'm trying to create a script that will automatically create an SSID with all the necessary security features set. I’m using the WiFiCfg to create the SSID, but having trouble with a couple of the options.

First, I want to have it use the Windows Login credentials to login the wireless. The issue is that I’m using GTC for Inner Authentication and when I try to set the UseWindowsLogonInfo to TRUE it says I need to use MSCHAPv2. I can’t use it with GTC?

Second, I’m going to Validate the Server Cert and so I need to set the Trust Root CA. How do I identify the Root CA? The name has spaces in it so I can’t put the full name and I don’t see any other name field.

Any help would be greatly appreciated.
Guru Elite
Posts: 20,596
Registered: ‎03-29-2007

Re: Security options with WifiCfg

You cannot use windows credentials automatically with GTC. You can only use it with MSCHAPv2.

Here are a couple rules:
• Replace the space in the name of the validated CA with “_”. For example, input “/TrustRootCA:Baltimore_EZ_by_DST” instead of “/TrustRootCA:Baltimore EZ by DST”.
• When there are more than one selected validated CA, follow the format “/TrustRootCA:CA1 /TrustRootCA:CA2 /TrustRootCA:CA3…”

Here is a sample add of a WPA2 AES network, with PEAP, inner EAP type of GTC, Validate Server Cert, and Trusting for Aruba's default Equifax, GlobalSign, and Microsoft Root Authority:

ArubaWifiCfg.exe -add /SSID:test /Authentication:WPA2 /Encryption:AES /EAPType:PEAP /InnerAuthentication:GTC /EnableFastReconnect:TRUE /ValidateServerCert:TRUE /TrustRootCA:Equifax_Secure_Certificate_Authority /TrustRootCA:GlobalSign_Root_CA
/TrustRootCA:Microsoft_Root_Authority


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 37
Registered: ‎05-25-2011

Re: Security options with WifiCfg

The "_" did it. Thanks.

Just out of curiousity, what is the difference between GTC and MSCHAPv2?
Guru Elite
Posts: 20,596
Registered: ‎03-29-2007

Re: Security options with WifiCfg

Without getting over my own head, MsChapV2 is the preferred method supported by Microsoft Active Directory back ends with Microsoft Clients. Most non-Microsoft clients also support this. When your backend is non-microsoft, your options decrease considerably depending on how your backend database is encrypted. To use MsChapv2, which is supported on the majority of supplicants, your backend database needs to have either NO encryption, or NT-Hash (Active Directory supports this). There is a chart here: http://deployingradius.com/documents/protocols/compatibility.html that says what type of backend database encryption is supported for what "tunneled session" type. EAP GTC is by far the most flexible, but does not have the native client support.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: