Security

Reply
MVP
Posts: 226
Registered: ‎03-03-2011

EAP Compatible Server Certificate from Amigopod CA

Apologies if this has already been covered but I couldn't find an answer when searching.

 

I have configured Amigopod to act as the RADIUS server to AD for a 802.1x authenticated wireless service. The Amigopod virtual appliance is joined to the active directory domain and I can successfully authenticate with valid user credentials using the test authentication tool.

 

However, I cannot authenticate clients to the network when the "Validate Server Certificate" is checked on the client. The Amigopod CA certificate has been imported on the client as put in the Trusted Root CA Store.

 

After searching I found the following 2 articles which described my problem:

 

http://darelltan.multiply.com/journal/item/188?&show_interstitial=1&u=%2Fjournal%2Fitem

http://support.microsoft.com/kb/814394

 

Sure enough, when I signed by EAP certificate on the domain CA and imported it back to the Amigopod everything worked as expected.

 

Is anybody able to confirm whether this is a problem with the CA or whether there is a workaround to this problem?

For information the VM I am running is the latest version - 3.9.2.

 

Thanks


David

David
ACDX #98 | ACMP | ACCP
Moderator
Posts: 150
Registered: ‎11-14-2011

Re: EAP Compatible Server Certificate from Amigopod CA

I believe you will need to import a server certificate into the Amigopod RADIUS that is trusted by your wireless devices. For example, if ythe server certificate is signed by a public CA, you should be able to find this CA in the list of locally trusted CA's on the client and select this one as the trusted CA. Alternatively you could sign the Amigopod server certificate from your local PKI and assuming this CA is trusted by the client you should get the same result.

 

Hope this helps


Cam.

MVP
Posts: 226
Registered: ‎03-03-2011

Re: EAP Compatible Server Certificate from Amigopod CA

Thanks for the response Cam.

 

The issue is more that the inbuilt Amigopod CA server does not provide the "server authentication" permission when signing the EAP server certificate. So, if you generate a self-signed EAP and CA certificate, export the CA certificate on to the clients Trusted Root CA store and try and access with a Windows XP client with the "Validate server certificate" option checked the connection fails.

 

Debug RADIUS logs from the Amigopod show a TLS access denied error and when I researched this error the issue with the Server authentication permission was discovered. 

 

Since then I have created the EAP certificate on the Amigopod device, signed it with a domain CA and imported the resulting certificate and CA certificate back in to Amigopod. This works with no issues.

 

My query is whether the Amigopod could sign the EAP certificate with the "server authentication" privilege to get around this problem?

Thanks

 

David

David
ACDX #98 | ACMP | ACCP
Aruba Employee
Posts: 37
Registered: ‎11-04-2011

Re: EAP Compatible Server Certificate from Amigopod CA

The inbuilt Amigopod CA does issue TLS Server certificates with the Server Authentication EKU. Are you running in root CA mode or intermediate CA mode? Are you using a FQDN for your CN in your certificate?

 

If yours is not issuing them with the Server Authentication EKU, then that is a problem for which you should open a case.

MVP
Posts: 226
Registered: ‎03-03-2011

Re: EAP Compatible Server Certificate from Amigopod CA

Thanks for the response Avidal.

 

All I have done is follow the instructions in the deployment guide for setting up EAP/PEAP communication from an Aruba controller to Amigopod. I created the server certificate and CA certificate from the EAP configuration menu.

 

Sounds like I need to open a case with TAC.

 

Thanks


David

David
ACDX #98 | ACMP | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: