Security

Reply
Occasional Contributor I

Aruba controller -New certificate

hi everybody,

I have an issue when doing 802.1x auth with à new public certificate installed on the controller in a PKCS12 formate. the certificate was generated by a well known public CA for m'y domaine "www.mydomaine.com.

the issue us that when i try to authenticate with dot1x auth i get an error that Windows can't verify the identity of the server.
i have used the AAA fast connect and i configured the server certificat paramètre.

thank you for tout help

#AirheadsMobile
Guru Elite

Re: Aruba controller -New certificate

1) You shouldd be using a RADIUS server

2) This is a normal part of the process with unconfigured clients and legacy tunneled EAP methods like PEAP.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Aruba controller -New certificate

Hello,

1) Yes i am using a Radius server for authentication, AAA Fast connect and PEAP authentication.

2) The certificate installed on the controller was generated by a well known CA, already installed on the PC, so the certificate shoud be verified  by Windows ?

mkk
Contributor II

Re: Aruba controller -New certificate

First to be sure you dont use wildcard certificaties (*.domain.com). Some operatingsystems like Windows dont accept wildcard radius certs.

 

Second, when you uses PEAP-MSCHAPv2 every first time the cliënt have to trust the server radius certificatie, because the cliënt dont ask for it like a webinterface http domainname request. The cliënt dont expext the server certificate. Yes it is valid by the external CA but the cliënt dont trust it the first connection because it didnt ask for it.

 

Third. PEAP-MSCHAPv2 is unsecure when you dont strictly managed the endpoints. If a cliënt can accept an unknown server certificate the inner MSCHAPv2 hash can be drain into hackers hand. MSCHAPv2 can be easly decode by a hacker to get your domain credentials.

 

So please use EAP-TLS if even possible or strictly manage your endpoints by a GPO policy or MDM.

Guru Elite

Re: Aruba controller -New certificate

If you're using a RADIUS server, no EAP server certificate is needed on the controller.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
mkk
Contributor II

Re: Aruba controller -New certificate

Cappalli is correct. server radius cert. is only needed on the authentication server like Clearpass or MS NPS. Not on the controller :)

Occasional Contributor I

Re: Aruba controller -New certificate

Thank you every body.

 

Just a last question, i don't understand why this configuration (AAA Fast connect with PEAP) have been working before the revocation of the securelogin.arubanetworks.com certificate.

 

 

 

Guru Elite

Re: Aruba controller -New certificate

You should be terminating EAP on the RADIUS server, not the controller.

AAA FastConnect is an old feature and shouldn't be used in most environments.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: