Security

Reply
Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

Can I simply check the eap-tls box, leaving the eap-mschapv2 box checked and just create a second RADIUS Network Policiy identical to the existing  with the exception that it will have the condtion "Allowed EAP Types: Microsoft: Smart Card  or other certificate" and changing the constraints from EAP type PEAP with MS_CHAP-V2 to EAP type Microsoft: Smart Card  or other certificate? I'm trying to avoid having to create all new policy on the WLAN controller and a different SSID.


Regards,

Tony Marques

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

To do EAP-TLS termination on the controller, you first need to generate  server certificate for the controller.  You then need to go to Configuration> Management> Certificates and upload the Server Certificate as well as the CA certificate that generated the Controller Server Certificate.  You then need to go into your 802.1x profile and select the name of the Controller Server Certificate and the CA certificate.

eap-tls.png

After that, you can enable EAP-TLS termination.  It might however break your EAP-PEAP Termination if your clients do not trust the new CA selected or the Controller Server Certificate that you selected.  It will be a tough migration without doing some testing ahead of time.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

Hi Colin,

 

We're not termintating on the controller. Please see screen shot for how the 802.1x Authentication profile is configured.

dotx1x.jpg

 

Therefore, was thinking of jsut adding checkbox to eap-tls to this profile.

 

Regards,
Tony Marques

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

Please see the article here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Multiple-EAP-Types-NPS-Server/td-p/58390



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

Hi Colin,

 

I had read that prior, but it never did say how he had the WLAN controller configured. In my initially testing with two seperate Network Policies (much like in the thred you provided), when I change my client from MS-CHAPv2 to Certificate it fails and never triggers the Network Policy that I have configured to use Certificate. Thats I figured I needed to have the EAP-TLS checked on the WLAN controller even though it is acting as a pass-through.

 

Regards,

Tony Marques 

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

If you are not using the WLAN controller for termination, the configuration is exactly the same for PEAP as it is for EAP-TLS on the controller. The controller is just a passthrough if it is not terminating EAP traffic.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 82
Registered: ‎05-28-2010

Re: Migrating from Termination Inner EAP-Type eap-mschapv2 to Termination EAP-Type eap-tls

That is what I figured. I'll have to confirm client - server settings are correct.

 

Regards,

Tony Marques

Search Airheads
Showing results for 
Search instead for 
Did you mean: