Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Setting Up TLS w/Windows 2008 NPS and CA

Good Evening All

We have been having an issue with our current configuration (PEAP-EAP) where we need to actually plug our laptops into the network to renew their trust with our Windos 2003 domain. We are in the process of trying to find a solution and currently are looking at PEAP-TLS. We have a Windows 2008 enterprise server installed with CA install as well as NPS. We have autoenrollment setup through group policy for domain computer and users. The first issue I run into is getting the computer and the user to autoenroll without plugging it in the first time. My thought is that once the wireless client boots to tries to authenticate it would receive it cert and then the user logs in and they receive theirs. I have read several articles from Microsoft and other blog posts and articles and have followed step by step and no luck. So I am thinking maybe it is my controller setup or NPS setup. So my question is has anyone been able to implement PEAP-TLS and if so are you willing to share your steps to achieving this?

Does Aruba have a document telling how to implement on their controller other then what is in the manual?

Thanks
Ed
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Tls


Good Evening All

We have been having an issue with our current configuration (PEAP-EAP) where we need to actually plug our laptops into the network to renew their trust with our Windos 2003 domain. We are in the process of trying to find a solution and currently are looking at PEAP-TLS. We have a Windows 2008 enterprise server installed with CA install as well as NPS. We have autoenrollment setup through group policy for domain computer and users. The first issue I run into is getting the computer and the user to autoenroll without plugging it in the first time. My thought is that once the wireless client boots to tries to authenticate it would receive it cert and then the user logs in and they receive theirs. I have read several articles from Microsoft and other blog posts and articles and have followed step by step and no luck. So I am thinking maybe it is my controller setup or NPS setup. So my question is has anyone been able to implement PEAP-TLS and if so are you willing to share your steps to achieving this?

Does Aruba have a document telling how to implement on their controller other then what is in the manual?

Thanks
Ed




Edward, since the autoenrollment process delivers a certificate via group policy, the device requires and IP connection to receive the policy and then deliver the certificate. This is mandatory BEFORE the user or computer attempts to authenticate. Machine certificates are delivered when they receive their group policy. User certificates are received after the user logs in. The machine has to at least be plugged in once to receive a machine certificates the first time.

Aruba does have a guide for setting up IAS for PEAP because it is very popular, but not for EAP-TLS. I suppose the reason is that EAP-TLS is very secure but has alot of administrative overhead related to the management of individual certificates, and can be complicated as a result. Few people deploy in this manner.



.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 61
Registered: ‎08-12-2009

Re: Setting Up TLS w/Windows 2008 NPS and CA

Colin as always thanks for your reply. Have you heard of anyone having the issue of the 30 day domain trust when using PEAP? After speaking with tech support they said I would have to physically plug every wireless client in every 30 days or extend the renewal time to renew the trust. From what I understand it is a known Windows issue. This is a huge issue for us when we have about 800 - 900 wireless clients in our enviroment.

Here is what I am seeing and maybe you or someelse can share some insight. After I plug the wireless client in physically it does receive the computer cert right away. I reboot then try to login and if it is a new account the login fails. If I login in locally and look at the event log on the client it says that Autoenrollment for the user could not take place because the client could not find the domain. On the NPS server it says Failed Audit for a bad certificate data (not exact wording). This sounds like it isn't connecting to domain because it isn't getting an dhcp address so it doesnt know where to look for the autoenrollment. Could this be a config issue on the Aruba Controller? Could you tell me what I need to do on the Aruba Controller that would be great that way I know to mark that as a non-issue?

As always Thanks!
Ed
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Remote Access Policy


Colin as always thanks for your reply. Have you heard of anyone having the issue of the 30 day domain trust when using PEAP? After speaking with tech support they said I would have to physically plug every wireless client in every 30 days or extend the renewal time to renew the trust. From what I understand it is a known Windows issue. This is a huge issue for us when we have about 800 - 900 wireless clients in our enviroment.

Here is what I am seeing and maybe you or someelse can share some insight. After I plug the wireless client in physically it does receive the computer cert right away. I reboot then try to login and if it is a new account the login fails. If I login in locally and look at the event log on the client it says that Autoenrollment for the user could not take place because the client could not find the domain. On the NPS server it says Failed Audit for a bad certificate data (not exact wording). This sounds like it isn't connecting to domain because it isn't getting an dhcp address so it doesnt know where to look for the autoenrollment. Could this be a config issue on the Aruba Controller? Could you tell me what I need to do on the Aruba Controller that would be great that way I know to mark that as a non-issue?

As always Thanks!
Ed




Ed,

It's supposed to happen like this: Computer Gets group policy along with Machine certificate when wired. You should be able to reboot and if in your Remote access policy your only rule is NAS-PORT-TYPE is Wireless, your computer should be able to get an ip address at the ctrl-alt-delete screen. Make sure that authentication goes through and the computer gets an IP address even before you have a user try to login. The computer MUST get an IP address before the user tries to authenticate.

If anyone else does TLS and knows anything that would make this easier, please post!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: