Security

Hi !

I have an aruba3200 controller with 30 aps.

I'm running fw 6.3.1.4

I have my wlan authehticated against a radius server (MS-NPS), which offers and checks the certificates.

it is configured using eap-peap.

i do not use termination on the controller.

in between there are moments when the clients are shown a certificate "securelogin.arubanetworks.com"

(best seen on my iphone).

how can this be or are there any hints where i can hava a look why this happens ?

does not make any sense to me, because this cert is ony used für captive-portal (guest access) or the web-gui...

 

regards,

Martin

The only way you'd see that certificate is if terminatino is enabled (which you say isn't) or if the NPS server is using that same certificate (unlikely).

 

When do the clients see this?  Is it on connection or at some other point in their connection?

 

To confirm , if you "forget this network" on an iPhone and reocnnect to the network, what certifcate is shown?    I'd also verify that all your AAA profiles are using dot1x profiles that have termination disabled.  Sometimes customers will have different profiles for different usages and not realize they are being used in portions of the building.

 

show aaa authentication dot1x

review the "references" column

show references aaa authentication dot1x [nameofprofile]

they see in sometimes in their connection.

i had this today when my mail client wanted to connect to outlook.com (are connections proxied ?)

and a colleague of mine had this with his macbook that would not connect to the wlan because the wrong (untrusted) certificate was shown...

 

all our aaa profiles have termination disabled...

 

that's why i'm so irritated...

i just cannot get it...

Are you only using a single VLAN or multiple VLANs (pooling) for that 802.1x SSID?

i have 4 SSIDs

 

w0. -> guest(VLAN 10)

w1. -> EAP-PEAP (VLAN 1)

w2. -> PSK (VLAN 1)

w3. -> EAP-CHAP(VLAN 1)

Which wlan does the problem occur on...only the eap-peap wlan?


It is important that you record the role that the user is in when he has the issue. You should also turn on user debugging so that we can see what led to the issue.

The problems occur on the EAP-PEAP and EAP-CHAP SSIDs (not on PSK and guest)

Thank you.

User debugging will allow you to possibly track this down. Do you use NPS for both wlans with the issue? Are you using any type of server or user derivation rules?

could it be possible that the clients are temporarily connecting to the guest WLAN prior to attempting 802.1x connection. this would present the captive portal certificate to the users in applications such as exchange where ssl is used.

 

maybe try changing the ordering of preferences of the WLAN profiiles on the client.

 

scott

There are no pririties set for the wlans.

We use rolled out profiles for windows and ios that only set the "non-guest" wlan.

This issue seems to be gone with some of the latest firmware versions.

We are now running FW 6.4.2.9 and never had this probem again since i think the latest 2 or 3 versions...

Hi !

We are using NPS for both wlans with this issue, BUT the NPS does not know nor has ever seen the securelogin.arubanetworks.com certificate.

We use user-derivation rules only in the guest wlan, but we use roles on the other wlan that change after authorization.