02-03-2017 02:33 AM
we bought two AP-205 to build our WLAN new from the ground.
Everything worked fine, i created two wifis, one for our employees and one for our customer.
The productiv network is secured with a WPA2-Enterprise Radius Server, that the employees have to log in with there AD-User Credentials. Works fine, but when they connect they get the message that the certificate not known is.
After that i added our Certificate-Server as CA, and now every client within our domain dont get the message any longer. Only devices like mobile phones still get the error. I think till this point everything work flawless.
But what is the best practise to get a certificate and a ca that every device trust, and is there a cheap option?
thanks for your help.
02-03-2017 05:40 AM
Is this an Instant AP?
If yes, please use the Open SSL instructions here: http://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025 to generate a CSR to submit to a certificate authority.
There are a number of low-cost certificate authorities, but we cannot endorse any here. Maybe some of the users in the community can suggest their low-cost favorites.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-03-2017 05:41 AM
For the long answer to your question on what (type of) certificate to use for 802.1X/RADIUS, please check out the ClearPass Certificates 101 TechNote, which can be found here:https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx
In many cases, a certificate from your private CA is a good pick, and it has the 'issue' that clients that are not controlled by your company will get the certificate warnings. If you pick a public CA things may be better, but still many clients will prompt on first connect. As a rule of thumb, if you have mostly Domain connected computers, or you have another way to provision the SSID to devices (like with Mobile Device Management, or ClearPass Onboard), the private CA seems the best choice. If you have most uncontrolled clients (like students, BYOD), a public CA seems the better choice.
What you see is fully expected.
The mentioned Certificates 101 document goes into more depth on this topic.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).