Security

Reply
Occasional Contributor II
Posts: 24
Registered: ‎09-16-2011

EAP-TLS Authenication

I am attempting to setup the Aruba 3200 (fips) to connect to a 2008 server with Raidus / AD installed. I created a CSR inside the Aruba controller to create the server cert for th aruba and I am getting an error.

 

I copied the entire text from the CSR window into a text document and this is the error i get when attempting to create new certificate..

 

csr failed.jpg

 

If this is not the proper way to setup EAP-TLS please let me know.

Moderator
Posts: 150
Registered: ‎11-14-2011

Re: EAP-TLS Authenication

To help us answer your question can you share whether you are attempting to terminate the EAP-TLS transactions on your 2008 RADIUS server or on the Aruba controller itself?

 

You should only need to generate the CSR on the Aruba controller if your intention is to enable EAP Termination for TLS on the controller itself.

Occasional Contributor II
Posts: 24
Registered: ‎09-16-2011

Re: EAP-TLS Authenication

at this point either one will be fine.. The only problem is the clients I am using are windows mobile 5 which do not support being added to the domian..

Aruba Employee
Posts: 116
Registered: ‎09-21-2010

Re: EAP-TLS Authenication

As cam said if you need termination on the controller only then you need to generate a CSR and sign that.  The problem you are seeing is not a problem of the Aruba CSR rather it is related to the microsoft ADCS. 

 

If your CA is an enterprise CA then it requires template information to sign the certificate. Standalone CA's don't encounter this issue. I also think you used the MMC for signing the cert so you saw this error.

 

You can use the certutil.exe utility to sign the cert rather than the mmc and you wont see the error.

 

Another way to sign the cert and avoid the error would be to use the web enrollment option. When using the web enrollment option you have to make the web enrollment site to be https rather than http to get the certs  signed.

 

See the http://support.microsoft.com/kb/910249/en-us

Occasional Contributor II
Posts: 24
Registered: ‎09-16-2011

Re: EAP-TLS Authenication

I am not sure if i am even going about this the correct way..

 

My idea of EAP-TLS is

 

client > wap > controller > switch > radius / ca / ad

 

Is it easier to have the controller authenicate the clients or have the radius authenicate them?

 

I was able to get the controller to talk to the radius over ms-chap-v2 and tested it with a username / password. .When i chaneg the radius to EAP-TLS (certificates) how do i test it to make sure the connection is working? I thought this is where the server cert comes in, on the controller.

 

Does anyone have a step by step guide for EAP-TLS? I cant remember where I got the walk through from (since the forums changed) but here is what i used.. (from Tobias Rice)

Occasional Contributor II
Posts: 24
Registered: ‎09-16-2011

Re: EAP-TLS Authenication

[ Edited ]

So i think i am on the right track..

 

I am going to uninstall the Enterprise CA that is currently installed and Install a Standalone..

 

Once i get this then how do I setup the controller to route all authenication attempts to the Radius / CA?

 

I know how to do this with MS-Chap-V2 and test it. But how do I test it with the certs?

Moderator
Posts: 150
Registered: ‎11-14-2011

Re: EAP-TLS Authenication

The controller configuration for pushing EAP-TLS to your RADIUS server is pretty straight forward. If you are not terminating EAP on the controller just make sure your 802.1x authentication profile doesn't have any of the termination options checked. You wont be required to install any certificates on the controller in this case either as the server certificate on your RADIUS will be used to terminate the EAP transaction.

 

On your aaa profile you just need to make sure the dot1x server group is pointing to the server group that is defined for your RADIUS server.

 

The use of PEAP or EAP-TLS will then be directly negotiated between the client supplicant software and your RADIUS server.

Frequent Contributor II
Posts: 105
Registered: ‎11-11-2008

Re: EAP-TLS Authenication

As other have said, you don't need to terminate the EAP-TLS on the controller, not terminating on the controller, simplifies the setup.

 

Just be sure to have a look at the "termination" checkbox under the 802.1x profile on the controller. If this box is unchecked, the Aruba controller will just pass along the EAP-TLS traffic to the destined RADIUS server for approval.

 

Domain comupters will need to show a certificate for validation, but as you say, the windows mobile is unable to be a member of the domain.

Domain computers automatically recieves a certificate when they are added to the domain, so you will have to manually load a valid certificate into the windows mobile phone for EAP-TLS to work.

 

Mosher

Occasional Contributor II
Posts: 24
Registered: ‎09-16-2011

Re: EAP-TLS Authenication

[ Edited ]

I think i got everything setup how it should be.. now i am trying to generate the pfx + key to add to the windows mobile.. I am using the "Odyssey Client for Windows Mobile"

 

From my understanding the only option to get the Aruba to use EAP-TLS is using the xsec option for encryption. This does 802.1x and EAP-TLS all in one?

Occasional Contributor II
Posts: 24
Registered: ‎09-16-2011

Re: EAP-TLS Authenication

[ Edited ]

I exported a cert from IE and then imported it.. I am now attempting to connect to the Aruba with xsec enabled. It now says "waiting to authenicate" i think i have an issue with the raidius..

 

Is there a log somewhere on the radius or Aruba where i can trake down where it is failing?

Search Airheads
Showing results for 
Search instead for 
Did you mean: