Security

I am attempting to setup the Aruba 3200 (fips) to connect to a 2008 server with Raidus / AD installed. I created a CSR inside the Aruba controller to create the server cert for th aruba and I am getting an error.

 

I copied the entire text from the CSR window into a text document and this is the error i get when attempting to create new certificate..

 

 

If this is not the proper way to setup EAP-TLS please let me know.

#3200

To help us answer your question can you share whether you are attempting to terminate the EAP-TLS transactions on your 2008 RADIUS server or on the Aruba controller itself?

 

You should only need to generate the CSR on the Aruba controller if your intention is to enable EAP Termination for TLS on the controller itself.

at this point either one will be fine.. The only problem is the clients I am using are windows mobile 5 which do not support being added to the domian..

As cam said if you need termination on the controller only then you need to generate a CSR and sign that.  The problem you are seeing is not a problem of the Aruba CSR rather it is related to the microsoft ADCS. 

 

If your CA is an enterprise CA then it requires template information to sign the certificate. Standalone CA's don't encounter this issue. I also think you used the MMC for signing the cert so you saw this error.

 

You can use the certutil.exe utility to sign the cert rather than the mmc and you wont see the error.

 

Another way to sign the cert and avoid the error would be to use the web enrollment option. When using the web enrollment option you have to make the web enrollment site to be https rather than http to get the certs  signed.

 

See the http://support.microsoft.com/kb/910249/en-us

I am not sure if i am even going about this the correct way..

 

My idea of EAP-TLS is

 

client > wap > controller > switch > radius / ca / ad

 

Is it easier to have the controller authenicate the clients or have the radius authenicate them?

 

I was able to get the controller to talk to the radius over ms-chap-v2 and tested it with a username / password. .When i chaneg the radius to EAP-TLS (certificates) how do i test it to make sure the connection is working? I thought this is where the server cert comes in, on the controller.

 

Does anyone have a step by step guide for EAP-TLS? I cant remember where I got the walk through from (since the forums changed) but here is what i used.. (from Tobias Rice)

So i think i am on the right track..

 

I am going to uninstall the Enterprise CA that is currently installed and Install a Standalone..

 

Once i get this then how do I setup the controller to route all authenication attempts to the Radius / CA?

 

I know how to do this with MS-Chap-V2 and test it. But how do I test it with the certs?

The controller configuration for pushing EAP-TLS to your RADIUS server is pretty straight forward. If you are not terminating EAP on the controller just make sure your 802.1x authentication profile doesn't have any of the termination options checked. You wont be required to install any certificates on the controller in this case either as the server certificate on your RADIUS will be used to terminate the EAP transaction.

 

On your aaa profile you just need to make sure the dot1x server group is pointing to the server group that is defined for your RADIUS server.

 

The use of PEAP or EAP-TLS will then be directly negotiated between the client supplicant software and your RADIUS server.

As other have said, you don't need to terminate the EAP-TLS on the controller, not terminating on the controller, simplifies the setup.

 

Just be sure to have a look at the "termination" checkbox under the 802.1x profile on the controller. If this box is unchecked, the Aruba controller will just pass along the EAP-TLS traffic to the destined RADIUS server for approval.

 

Domain comupters will need to show a certificate for validation, but as you say, the windows mobile is unable to be a member of the domain.

Domain computers automatically recieves a certificate when they are added to the domain, so you will have to manually load a valid certificate into the windows mobile phone for EAP-TLS to work.

 

Mosher

I think i got everything setup how it should be.. now i am trying to generate the pfx + key to add to the windows mobile.. I am using the "Odyssey Client for Windows Mobile"

 

From my understanding the only option to get the Aruba to use EAP-TLS is using the xsec option for encryption. This does 802.1x and EAP-TLS all in one?

I exported a cert from IE and then imported it.. I am now attempting to connect to the Aruba with xsec enabled. It now says "waiting to authenicate" i think i have an issue with the raidius..

 

Is there a log somewhere on the radius or Aruba where i can trake down where it is failing?

You shouldn't require xsec enabled on the Aruba controller. The EAP method will be negotitated directly between the client supplicant and the RADIUS server based on the RADIUS destination you have configured.

I was just informed we also need to use the xsec since it supports FIPS 140-2 encryption..
 
I just read online that the 802.11i is also FIPS 140-2 compliant.. this to me means the WPA2 is compliant?


Edit:: I think I figured out the problem.. I need to add the root ca cert to the clients.. I'll try this out tomorrow when I get to work
 

well it seems there is either an issue with my Aruba config or my Radius config..

 

When i use the test AAA server function everything works, which make me think the Radius config is good.. However when i attempt to authenicate via wifi the Radius logs the attempt username as my mac address of the client. There is no account built with those credentials so it will not work..

 

Any ideas why my mac address is being passed as my username?

 

I have attached the log file from the Radius so you can see when it authenicates via the AAA test and then attempts via several clients with the MAC address being passed.

 

 

I had to convert it to word so I could attach it.

 

I am finally making progress.. I was able to get the radius to authenicate the clients user username / password (PEAP).. I am terminating the EAP at the controller but the authentication is still being done on the radius. I switched over to useing EAP-TLS since that is my end requirment..

 

I exported the rootca using the web enrollment page

I created user certs using the web enrollment page.

I have having a hard time with the server cert, since i am using a enterprise CA. I went to the web enrollment form, clicked advanced then pasted the CSR into the box.. only problem was there was no option for a server cert. how do I create this??

 

thanks for the help

If you don't have access to the certifictae templates when using the web enrollment, make sure you are authenticated successfully to the domain and using a MS web browser. I have seen a situation where I have used remote desktop to connect to the CA server but logged into the local machine account instead of the domain. In this situation the certificate templates were not available. I disconnected and re-logged in using a domain accounts with appropriate priveleges and was able to access the certificate templates.

 

hope this helps.

Answering the FIPS questions, you likely need to use xSec on the OAC suplicant on the WinMobile HHT because the Radio/Chipset/Driver for WPA2 is NOT FIPSd. Don't let the FIPS issues cloud your certificate troubleshooting because they are not inter-related.

 

As for your certificates and HHTs, are you using local certificates on the HHT or are you using a bluetooth CAC sled?

nevermind, no PMs here. Shoot me an email at jhoward - at - arubanetworks - dot - com. Once I know what account you fall under on our Fed group, we can likely get you more help if you need it, since you likely are needing to do your cert requests to DISA. They have a separate cert requrest procedure that allows you to put the correct extended key sets on the cert for the RADIUS server to act as an TLS authenticator.

To get back to the original question - you're trying to generate a server certificate on a Windows CA, using a CSR generated by the controller.  The error message you're getting is because the CSR doesn't contain any template information, so the CA doesn't know which template to use to generate the cert.  What you'll need to use "certreq" from the Windows command line:

 

certreq -submit -attrib "CertificateTemplate:WebServer" csr.txt

 

Replace "WebServer" with the name of the template you want to use (although WebServer is a built-in template that generally will work fine for an EAP-TLS server cert), and replace "csr.txt" with the filename of your CSR.

 

Hope that helps..

 

-Jon