01-11-2012 08:17 AM
I want to start this by saying that I am new to Aruba, and I have read a lot of posts......None that I have found seem to quite answer this question, but if they are out there, I missed it. Sorry is this is redundant.
Onto the issue.
We have an existing PKI enviornement running windows 2003 server. We are leveraging the built in Radius server on the Amigopod product, and we are able to successfully have that make LDAP calls to our AD infrastructure.
We are looking to set up two form authentication for corporate devices. The AD login, and the device delivered certificate. This certificate will be delivered to the device by Amigopod, on behalf of our PKI enviornment.
I was told that we can do this, but I have been trying to import a cert into the Amigopod radius server, and I have not yet been successful. I have issued a request from the Amigopod, and used that in the creation process to create a cert, but Amigopod also wants a Root CA cert, which was not generated at the time. We have tried many varations and no matter what combination of Root CA and cert, we get an error on the upload. This is the error:
Certificate verification failed (/tmp/eapcerzMuUJz: /C=US/ST=state/L=city/O=company/CN=AmigoPod/emailA
error 20 at 0 depth lookup:unable to get local issuer certificate)
I am sure I am doing something fundamentally wrong, but I can not seem to find the answer anywhere.....Any help you guys could give would be greatly appreciated!!
01-11-2012 08:38 AM
Welcome to Airheads.
To help us understand your issue and answer the question can expand on the server certificate use you are setting up. Are you trying to load the server certificate for the Amigopod web server or for the RADIUS server for EAP termination. You mention that are you interested in Amigopod delivering client certificates to your devices so maybe you are trying to setup the Mobile Device Provisioning Service (MDPS) which as of today support the pushing of client certificates to Apple iOS devices.
01-11-2012 10:12 AM
What I am trying to do, is actually two part. We want to set up encryption, but if we have to do that with a self signed cert off the Amigopod, we will be ok with that.
The other part is Provisioning the mobile devices. We were trying to use the Radius Server on the Amigopod to do both the LDAP calls and the certifcate provisioning. After reading your response, I can see that I am probably going about this the wrong way.
How do you think I should handle this?
01-12-2012 07:10 PM
Let me try to break this down for you. If you are trying to do encryption using 802.1x you have a couple of options, namely PEAP, TTLS or EAP-TLS. The first two will only require a server certificate installed on the terminating RADIUS server (in this case Amigopod) and the later will require both the server certificate on the RADIUS server and client certificates on each connecting device.
Depending on your preference, you can go for the server certificate based option with PEAP or TTLS and leverage your user's existing username/password credentials for authentication. This will require you to install a server certificate on the Amigopod server which can be either self-signed or purchased from a trusted Certificate Authority such as Verisign, Thawte, GoDaddy etc. If you choose the self-signed option your users will be presented with a certificate warning as they connect or you can alternatively look to install a copy of the signing CA certificate on your devices to avoid this warning. A trusted CA certificate will avoid these warnings as the signing CA will already be included in the operating system trusted CA store.
Some of Aruba's latest technology through the acquistion of Avenda actually helps solve this problem of installing the trusted CA certificate on 802.1x connecting devices.
If you are more interested in the EAP-TLS based Wi-Fi security then you are on the right track with the Amigopod Mobile Device Provisioning Service (MDPS) and its ability to provision secure network access settings including client TLS certificates to suported operating systems. To achieve this Amigopod includes a fully functional Certificate Authority that can sign client certificates from its own self-signed Root CA certificate or integrate into an existing PKI such as the one found in many Microsoft 2003 or 2008 server environments.
Hope this helps