Security

Reply
Contributor II
Posts: 39
Registered: ‎02-20-2013

SSID with client certificate authentication

Hi all,

 

I want to create an SSID with a client certificate authentication (certificate are installed on the computer machines).

 

Does any one know how can i make this with Aruba?

 

Please give me step by step all the needed configuration

 

An other question, do i need a Radius server or the controller can make this role?

 

Thank you all

Guru Elite
Posts: 20,426
Registered: ‎03-29-2007

Re: SSID with client certificate authentication


Zakaria wrote:

Hi all,

 

I want to create an SSID with a client certificate authentication (certificate are installed on the computer machines).

 

Does any one know how can i make this with Aruba?

 

Please give me step by step all the needed configuration

 

An other question, do i need a Radius server or the controller can make this role?

 

Thank you all


1.  Believe it or not, there is very little to configure on Aruba.  The Aruba configuration is identical to using PEAP.  The main differences is how the server is configured, how certificates are distributed and how clients are configured (no difference on the Aruba Controller).  If you have a Microsoft Shop, they give detailed information in their lab guide here:  http://www.microsoft.com/en-us/download/details.aspx?id=18161

 

2.  You absolutely need a radius server.  There is a way to do this using an Aruba Controller without a radius server but it is an advanced topic.   You should look at the lab guide to ensure that you have all the pieces necessary and set it up with a Microsoft Radius Server first.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 39
Registered: ‎02-20-2013

Re: SSID with client certificate authentication

Hi,

 

First thank you for the answer. I read the user guide or the aruba 6.2. It seems that the controller can work as a radius. I also see that i have to install CA certificate and server certificate on the controller. Do i need to this even if i use a radius?

 

You said that i don't have to made a lot of configuration on the controller but you didn't say what i have to do? Just an 802.1x SSID?

 

Thank you

Guru Elite
Posts: 20,426
Registered: ‎03-29-2007

Re: SSID with client certificate authentication


Zakaria wrote:

Hi,

 

First thank you for the answer. I read the user guide or the aruba 6.2. It seems that the controller can work as a radius. I also see that i have to install CA certificate and server certificate on the controller. Do i need to this even if i use a radius?  NO

 

You said that i don't have to made a lot of configuration on the controller but you didn't say what i have to do? Just an 802.1x SSID?  Have you ever configured 802.1x on a controller before?  If so, the configuration for EAP-PEAP and EAP-TLS is the same.  If you have never done EAP-PEAP (If you don't have a radius server you probably have not), you should start with that first, because it is simpler to accomplish.

 

Thank you


 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 39
Registered: ‎02-20-2013

Re: SSID with client certificate authentication

Hi,

 

I have configured 802.1X using a NPS-Based authentication. The users are authenticated using their Active Directory Credentials. I have never create an SSID with certificate authentication that is why i asked the question

 

Thx again

Guru Elite
Posts: 20,426
Registered: ‎03-29-2007

Re: SSID with client certificate authentication


Zakaria wrote:

Hi,

 

I have configured 802.1X using a NPS-Based authentication. The users are authenticated using their Active Directory Credentials. I have never create an SSID with certificate authentication that is why i asked the question

 

Thx again


If that is the case, you don't have to change anything on the Aruba side.  The 802.1x setup is the same.  You can even reuse the same 802.1x SSID if you want.

 

To add EAP-TLS configuration (assuming you already have a CA configured)  you need to:

 

1.  Change your Wireless LAN Remote Access policy on the NPS so that it allows "smartcard or certificate" instead of or in addition to PEAP

2.  Distribute certificates to your clients in active directory, either manually, or using certificate autoenrollment.  This can be done via group policy, if you want http://technet.microsoft.com/en-us/library/bb456981.aspx

3.  Configure your wireless LAN clients to use Smartcard or certificate and simple cert selection, instead of PEAP/MSChapV2.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: