06-11-2012 05:55 PM - edited 06-11-2012 06:02 PM
Hello does anyone have a example of configuration with EAP TLS?
I just can find example config but with EAP PEAP but not with EAP TLS
I would like to have also a demo in which i can show the clients EAP TLS in action...
But i have been trying to find a manual on how to configure this on the server side as well on the wireless controlller side buti cannot find it...
Or if anyone can point what i have to do different from EAP PEAP configuration that would help also as well....guess you use instead of peap eap smart cards and certificate option on the server and also on the client side but what else i would need to change?
Thanks in advance....
Product Manager - Aruba Networks
06-11-2012 08:15 PM
Assuming you are not doing EAP termination on the controller, there is nothing to change at all. The SSID remains WPA2-AES. What differs is how the Radius server accepts authentications. So, in order to accomplish using EAP-TLS, you'll need to authenticate users/computers with certificates.
From a Radius perspective this is simply a change in the authentication that is allowed in the particular policy that matches the client request. From a client perspective, the client will need a certificate and alter their settings to use EAP-TLS. Those two pieces of the equation are rather simple to modify. The last part is the part that requires additional planning.....that is the PKI itself. If you are going to authenticate devices with certificates, you'll have to issue certificates to your users/devices. If you chooose to implement a Microsoft based PKI, the deployment to domain joined machines is very simple; it is the non-domain systems that sometimes require some additional planning.
That being said, my recommendation to you is to research what it would take to setup a PKI in your infrastructure. As many will atest to, it is not terribly hard to setup a Microsoft PKI on Server 2008; however, I would caution you to step back and really think about how you want to design it. I've run into too many customers that threw together a PKI only to realize at a later date that is not suitable for their longer term needs, usually things like being installed on a domain controller, naming conventions used within the CA and templates, improper CA hierarchy, etc. The end up redesigning and reissuing certificates, so its worth the up front planning.
Microsoft has a document on how to set this up in a test lab, from start to finish. It is outdated with regards to the Server OS (uses 2003 and IAS rather than 2008 and NPS), but the concepts are the same. It may get you on the right path.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX