Security

Reply
Frequent Contributor I

Certificate based authentication on Controller

Hi,

 

i wanna configute a ssid with local check if the client certificate machtes the local controller certifiacte. So i try to list here my steps, because it didn't work :)

 

6.4.3.3

 

1) Create a Controller Cert with CSR

2) Install Server and RootCA Cert

3) Create L3 Dot1x Auth Profile (eap tls) and Ca-Cert and Server Cert checked in advanced (Termination)

4) Create AAA Prof with 802.1x Authentication -> Step3 Profile  (Mac n/a, Servergroup n/a)

5) Vap Profile with AAA using Step4

 

In My Windows 8.1 Client i create a SSID-Prof with same Settings like my other one SSID with Cert -> Sends Radius Requests to external AAA Server) so i think that is not the problem.

 

If i activate security debug level - i only see some crypric stuff if i want to log in - but no real good text...

 

So is anyone out there that have configured a local termination that is working ? I checked the community but i dind't find any real guide or information to this issue.

 

Thanks for Feedback

ACMP
Frequent Contributor I

Re: Certificate based authentication on Controller

Additon Info:

if i reconfigure a SSID with my AAA Profile it pops up with that error:

 

Error processing command 'wlan virtual-ap "test111" ssid-profile "ssid_temp_Certtest"':Error: Server Group needs to be configured in dot1x/aaa profile "802.1x_Cert_Temp_Cert/AAA_Certificate" to support opmode "wpa2-aes" in ssid profile "ssid_temp_Certtest"

 

maybe this error expain my Problem: 

 

A VAP Profile needs with WPA2 a Servergroup. But with local Termination and TLS i didn't have a Server :-( If i create a  local Server Group in the controller it checks the certificate Username agains local DB :-(  But i only want a Certificate check and not a username check ... so maybe this is the point witch iam looking for.

 

Thanks

ACMP
Guru Elite

Re: Certificate based authentication on Controller

You can create a server group that only has the internal database, but in the 802.1x profile, DO NOT enable "Check Certificate Common name against AAA server"  :  http://community.arubanetworks.com/t5/Controller-Based-WLANs/With-EAP-TLS-how-to-check-user-certificate-common-name-against/ta-p/215343

 

The problem is that the WPA2-AES 802.1x setup requires that you put a radius server in the server group attached to the AAA profile, even if you don't use it.

 

For your error messages, you should type "show auth-tracebuf" and see the radius messages going back and forth to see what could possibly be the problem.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Frequent Contributor I

Re: Certificate based authentication on Controller

Hi,

 

i unchecked that AAA Box (last checkbox) - thanks so far :) and entered a default AAA Server in a server group but it didn't work:

 

Here is the Output:

 

 

Oct 12 14:07:15 station-up * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 - - wpa2 aes
Oct 12 14:07:15 station-term-start * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 10 -
Oct 12 14:07:15 eap-term-start -> 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp - -
Oct 12 14:07:15 station-term-start * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 10 -
Oct 12 14:07:15 eap-term-start -> 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp - -
Oct 12 14:07:15 station-term-start * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 10 -
Oct 12 14:07:15 station-tls-alert * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp 48 2 failure
Oct 12 14:07:15 station-term-end * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp 1 - failure
Oct 12 14:07:15 eap-failure <- 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp - 4
Oct 12 14:07:15 station-down * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 - -

 

So i currently have a Machine Certificate for my Controller and a User Cert on my Notebook - as written above: Client works with Windows Radius AAA forwarding.

 

Maybe i need a different Windows config with this local certificate ?

 

ACMP
Guru Elite

Re: Certificate based authentication on Controller

Also, you need do create a client certificate to use for authentication. You can't use a server certificate for client auth. 


Thanks, 
Tim

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Certificate based authentication on Controller

Good info.. checked the Cert on the controller - only two attributes set and no Client Authentification.... back to the CA Admin :) Hope the new one works ^^

ACMP
Guru Elite

Re: Certificate based authentication on Controller

You'll still need the server certificate on the controller. The client certificate is installed on the device. 


Thanks, 
Tim

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Certificate based authentication on Controller

Sure but i think my actually has no permission to check Clients. Dunno witch statement is needed here but i think it didn't work with only Digital Signature, Key Encipherment (a0) and Server Authentication (1.3.6.1.5.5.7.3.1) as Enhanced Key Usage.

ACMP
Guru Elite

Re: Certificate based authentication on Controller

Right. There are two certificates. The only one that will work on the client is a client certificate. It's a different type of cert that gets created.

Thanks, 
Tim

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Certificate based authentication on Controller

Hi sorry, i have two different Types: client-certificate with the Client-Auth Usage set and a Server Cert without any Client-Auth. I think thats the reason why it dont work.

 

If i get that running i will create a guide for other users :) I think no one has a complete step by step config for this situation. And in fact that the controller works with CRL Aruba needs a good Guide :-)

 

Back here, when i got my new Controller Cert (takes some days...)

ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: