Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

This thread has been viewed 6 times

  • 1.  Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

    Posted Sep 08, 2016 01:41 PM

    Can I simply check the eap-tls box, leaving the eap-mschapv2 box checked and just create a second RADIUS Network Policiy identical to the existing  with the exception that it will have the condtion "Allowed EAP Types: Microsoft: Smart Card  or other certificate" and changing the constraints from EAP type PEAP with MS_CHAP-V2 to EAP type Microsoft: Smart Card  or other certificate? I'm trying to avoid having to create all new policy on the WLAN controller and a different SSID.


    Regards,

    Tony Marques



  • 2.  RE: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

    EMPLOYEE
    Posted Sep 08, 2016 01:59 PM

    To do EAP-TLS termination on the controller, you first need to generate  server certificate for the controller.  You then need to go to Configuration> Management> Certificates and upload the Server Certificate as well as the CA certificate that generated the Controller Server Certificate.  You then need to go into your 802.1x profile and select the name of the Controller Server Certificate and the CA certificate.

    eap-tls.png

    After that, you can enable EAP-TLS termination.  It might however break your EAP-PEAP Termination if your clients do not trust the new CA selected or the Controller Server Certificate that you selected.  It will be a tough migration without doing some testing ahead of time.



  • 3.  RE: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

    Posted Sep 08, 2016 02:06 PM

    Hi Colin,

     

    We're not termintating on the controller. Please see screen shot for how the 802.1x Authentication profile is configured.

    dotx1x.jpg

     

    Therefore, was thinking of jsut adding checkbox to eap-tls to this profile.

     

    Regards,
    Tony Marques



  • 4.  RE: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

    EMPLOYEE


  • 5.  RE: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

    Posted Sep 08, 2016 02:35 PM

    Hi Colin,

     

    I had read that prior, but it never did say how he had the WLAN controller configured. In my initially testing with two seperate Network Policies (much like in the thred you provided), when I change my client from MS-CHAPv2 to Certificate it fails and never triggers the Network Policy that I have configured to use Certificate. Thats I figured I needed to have the EAP-TLS checked on the WLAN controller even though it is acting as a pass-through.

     

    Regards,

    Tony Marques 



  • 6.  RE: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls
    Best Answer

    EMPLOYEE
    Posted Sep 08, 2016 02:40 PM

    If you are not using the WLAN controller for termination, the configuration is exactly the same for PEAP as it is for EAP-TLS on the controller. The controller is just a passthrough if it is not terminating EAP traffic.



  • 7.  RE: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

    Posted Sep 08, 2016 02:42 PM

    That is what I figured. I'll have to confirm client - server settings are correct.

     

    Regards,

    Tony Marques