Security

Machine authentication 802.1x certificate termination on the controller, We are currently using MAC address authentication and want to change to using certificates for iPads, iPhone's and Blackberry's. I have the certificate installed on the controller and created a new SSID and aaa profile to use 802.1x and machine authentication is not enforced, I also installed the same certificate on the iPhone (not sure if this is correct) When I connect to the new SSID I get prompted for username and PW and then get prompted to accept the certificate, The certificate displayed says "not verified" even though its a en Entrust certificate and when I look on the iPhone the same certificate show its "Trusted" when I click to accept the certificate it comes back with "unable to join the network" I also have the CA root and intermediate ca installed on the controller and have, tried it as a chained certificate, and separate certificate and didn’t seem to make a difference. Anyone have this type of setup working.

If you have a radius server, you should look to see if there is a message on there concerning that.  If not, type "show auth-tracebuf mac <mac address of client>" to see what is happening.

No Radius server we are terminating on the controler, here are the results from the logs.  

show auth-tracebuf mac

Mar  8 12:03:46  station-down           *  84:38:35:a8:1a:af  00:24:6c:ce:c1:30                      -      -
Mar  8 12:03:46  station-up             *  84:38:35:a8:1a:af  00:24:6c:ce:c1:31                      -      -    wpa2 aes
Mar  8 12:03:46  station-term-start     *  84:38:35:a8:1a:af  00:24:6c:ce:c1:31                      1      -
Mar  8 12:03:48  station-term-end       *  84:38:35:a8:1a:af  00:24:6c:ce:c1:31/KofcMobile           11405  -    failure
Mar  8 12:03:48  eap-failure           <-  84:38:35:a8:1a:af  00:24:6c:ce:c1:31/KofcMobile           -      4
Mar  8 12:03:48  station-down           *  84:38:35:a8:1a:af  00:24:6c:ce:c1:31                      -      -

below is me switching from SSID (aruba-ap) that does not use 802.1x to the new SSID (Test-Mobile) using 802.1x

show log user-debug

Mar 8 12:03:46 :501102:  <NOTI> |stm|  Disassoc from sta: 84:38:35:a8:1a:af: AP 192.168.16.19-00:24:6c:ce:c1:30-00:24:6c:c4:ec:12 Reason STA has left and is disassociated
Mar 8 12:03:46 :501065:  <DBUG> |stm|  Sending STA 84:38:35:a8:1a:af message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1, wmm:1, rsn_cap:c
Mar 8 12:03:46 :500511:  <DBUG> |mobileip|  Station 84:38:35:a8:1a:af, 0.0.0.0: Received disassociation on ESSID: aruba-ap Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name 00:24:6c:c4:ec:12 Group default BSSID 00:24:6c:ce:c1:30, phy a, VLAN 1
Mar 8 12:03:46 :522036:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af Station DN: BSSID=00:24:6c:ce:c1:30 ESSID=aruba-ap VLAN=1 AP-name=00:24:6c:c4:ec:12
Mar 8 12:03:46 :500010:  <NOTI> |mobileip|  Station 84:38:35:a8:1a:af, 255.255.255.255: Mobility trail, on switch 192.168.16.10, VLAN 1, AP 00:24:6c:c4:ec:12, aruba-ap/00:24:6c:ce:c1:30/a
Mar 8 12:03:46 :501000:  <DBUG> |stm|  Station 84:38:35:a8:1a:af: Clearing state
Mar 8 12:03:46 :501095:  <NOTI> |stm|  Assoc request @ 12:03:46.870397: 84:38:35:a8:1a:af (SN 977): AP 192.168.16.19-00:24:6c:ce:c1:31-00:24:6c:c4:ec:12
Mar 8 12:03:46 :501100:  <NOTI> |stm|  Assoc success @ 12:03:46.876899: 84:38:35:a8:1a:af: AP 192.168.16.19-00:24:6c:ce:c1:31-00:24:6c:c4:ec:12
Mar 8 12:03:46 :501065:  <DBUG> |stm|  Sending STA 84:38:35:a8:1a:af message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1, wmm:1, rsn_cap:c
Mar 8 12:03:46 :522035:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af Station UP: BSSID=00:24:6c:ce:c1:31 ESSID=Test-Mobile VLAN=1 AP-name=00:24:6c:c4:ec:12
Mar 8 12:03:46 :500511:  <DBUG> |mobileip|  Station 84:38:35:a8:1a:af, 0.0.0.0: Received association on ESSID: Test-Mobile Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name 00:24:6c:c4:ec:12 Group default BSSID 00:24:6c:ce:c1:31, phy a, VLAN 1
Mar 8 12:03:46 :522030:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af Station deauthenticated: BSSID=00:24:6c:ce:c1:30, ESSID=aruba-ap
Mar 8 12:03:46 :500010:  <NOTI> |mobileip|  Station 84:38:35:a8:1a:af, 0.0.0.0: Mobility trail, on switch 192.168.16.10, VLAN 1, AP 00:24:6c:c4:ec:12, Test-Mobile/00:24:6c:ce:c1:31/a
Mar 8 12:03:46 :522049:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af,IP=N/A User role updated, existing Role=guest/guest, new Role=logon/guest, reason=Station is L2 deauthenticated
Mar 8 12:03:46 :522050:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=Download driven by user role setting
Mar 8 12:03:46 :522005:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af IP=192.168.16.73 User entry deleted: reason=essid change
Mar 8 12:03:46 :522050:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=Station resetting role
Mar 8 12:03:49 :522030:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af Station deauthenticated: BSSID=00:24:6c:ce:c1:31, ESSID=Test-Mobile
Mar 8 12:03:49 :522049:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af,IP=N/A User role updated, existing Role=logon/none, new Role=logon/none, reason=Station is L2 deauthenticated
Mar 8 12:03:49 :522050:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af,IP=N/A User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=Download driven by user role setting
Mar 8 12:03:49 :501106:  <NOTI> |stm|  Deauth to sta: 84:38:35:a8:1a:af: Ageout AP 192.168.16.19-00:24:6c:ce:c1:31-00:24:6c:c4:ec:12 wifi_deauth_sta
Mar 8 12:03:49 :501065:  <DBUG> |stm|  Sending STA 84:38:35:a8:1a:af message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1, wmm:1, rsn_cap:c
Mar 8 12:03:49 :522036:  <INFO> |authmgr|  MAC=84:38:35:a8:1a:af Station DN: BSSID=00:24:6c:ce:c1:31 ESSID=Test-Mobile VLAN=1 AP-name=00:24:6c:c4:ec:12
Mar 8 12:03:49 :500511:  <DBUG> |mobileip|  Station 84:38:35:a8:1a:af, 0.0.0.0: Received disassociation on ESSID: Test-Mobile Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name 00:24:6c:c4:ec:12 Group default BSSID 00:24:6c:ce:c1:31, phy a, VLAN 1
Mar 8 12:03:49 :500010:  <NOTI> |mobileip|  Station 84:38:35:a8:1a:af, 255.255.255.255: Mobility trail, on switch 192.168.16.10, VLAN 1, AP 00:24:6c:c4:ec:12, Test-Mobile/00:24:6c:ce:c1:31/a
Mar 8 12:03:49 :501080:  <NOTI> |stm|  Deauth to sta: 84:38:35:a8:1a:af: Ageout AP 192.168.16.19-00:24:6c:ce:c1:31-00:24:6c:c4:ec:12 Denied; Ageout
Mar 8 12:03:49 :501000:  <DBUG> |stm|  Station 84:38:35:a8:1a:af: Clearing state

Just checking some facts....

You have a public server certificate loaded on the controller, right?  

What CA is issuing the certificates to your devices?  

Yes the controller has a certificate issued from a trusted CA Entrust, What I'm not Shure about is what certificate I need on the client (iPhone) currently I have the same server certificate installed on the iPhone as the one on the controller, should this be a different certificate created specifically for the device? I also have the Entrust root and intermediate certs on both the controller and the iPhone.

Hi, 

You have to upload CA certificate that issued certificate for your WiFi station to the controller and then select it in dot1x L2 authentication profile.

HTH 

I have the Entrust CA root cert installed and selected under the L2 Authentication > Advanced > CA-Certificate, I also have the server certificate installed and selected under the L2 Authentication > Advanced > Server-Certificate. I've also created a new certificate for the device (iPhone) and installed that on the iPhone (also an Entrust certificate). But still have not been able to get the iPhone connected. I've also tried installing the certificate on my Windows machine and that is not able to connected ether so I think its something with how its setup on the controller

Hi, 

There is checkbox "Check certificate common name against AAA server" - please be sure that is unchecked. And please verify time/date at the controller. 

Many regards, 

The "Check certificate common name against AAA server" was checked and show clock revealed that the system was a day and an hour ahead. I reset the time and cleared the check box and rebooted the controller. I was hopfull that this would fix the issue, but I'm still getting the same results. I'll continue my testing next Monday, Aruba support wants me to get a client certificate installed on the iPhone that has the client roll, the Entrust certificates all have the server roll (not sure why that matters). I might need to create the certificate from a private CA and add the CA to the controller asuming the private CA will allow me to create the certificate with the client roll! I'll up date next week!

Have you already setup EAP-PEAP on this controller, because it is much easier?  Very few people deploy like you are right now, due to the overhead required with managing client-side certificates.  They start at EAP-PEAP and if needed deploy via EAP-TLS.  With that being said, please take a look at the document in the thread here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/EAP-TLS-and-dot1x-termination/m-p/12357/highlight/true#M5113

Still no luck getting the iPhone to connect. I have been able to connect a Windows 7 laptop to the new SSID/aaa profile but that took some client side customizations to the connections properties. Since this is a test environment I don’t have access to the NPS and AD servers, so my next steps are to set this up on our production controllers and not terminate the certificate on the controller. I'll use the Radius/NPS to authenticate the certificates and see it I get anywhere with that

Good idea.