Security

I am trying to set up EAP-TLS and have a few questions:

1) In a Master-Local setup, which controller do the Server and Trusted CA certs go on? APs are terminating on the Local.

2) What's the purpose of the Server and Trusted CA certs? What does the controller do with these certs, i.e. how exactly does it use them to authenticate clients?

3) I don't see the "eap-tls" option for the "Inner EAP-type" on the 802.1x profile. Do I need to upgrade code to get this option?

---

@arubamonkey wrote:

I am trying to set up EAP-TLS and have a few questions:

 

1) In a Master-Local setup, which controller do the Server and Trusted CA certs go on? APs are terminating on the Local.

2) What's the purpose of the Server and Trusted CA certs? What does the controller do with these certs, i.e. how exactly does it use them to authenticate clients?

3) I don't see the "eap-tls" option for the "Inner EAP-type" on the 802.1x profile. Do I need to upgrade code to get this option?

 

 

---

Great news!

You don't have to import any certificates on the controller for EAP-TLS to work.  The radius server only needs a remote access policy that has "Smartcard or other Certificate" and the client only needs a client certificate issued by the same CA.

Well that was fast! What if I don't have a RADIUS server in this scenario?

That involves more work.

Please follow the attached instructions, then.

Attachment(s)

EAP-TLS Termination.pdf   2.51 MB 1 version

You're a lifesaver cjoseph! For the Trusted CA, the document says "This was created during the install of the MS Cert Server". What if it's not there?

Also, hate to badger you but can you please answer the three questions? :smileyhappy:

When you create a CA, it installs its own Cert, automatically, at that time.  I have never seen it without one.

For a full explanation of certificates, please read Jon Green's 5-part Digital Certificates series in the knowledge base here:  http://community.arubanetworks.com/t5/Community-Knowledge-Base/tkb-p/tkb%40tkb

It will put you on the correct path.

Do these server and trusted CA certs need to go on the Master controller or the LMS?

Both.

Thanks. What about the missing "eap-tls" option in "Inner EAP-type"? Would Apple devices work with the "eap-mschapv2" option?

---

@arubamonkey wrote:

Thanks. What about the missing "eap-tls" option in "Inner EAP-type"? Would Apple devices work with the "eap-mschapv2" option?

---

That option should be there.  Either clear your browser cache or use a supported browser.  If it does not appear, it is a bug and you should open a TAC case.

Tried different browser, still don't see it. Here's a screenshot:

http://s17.postimage.org/pgo7zrhhr/EAPTLS.jpg

The option doesn't come up in the CLI either.

(WLC#1) (802.1X Authentication Profile "TEST-dot1x_prof") #termination inner-eap-type ?
eap-gtc                 Select EAP-GenericTokenCard as the inner
                        authentication protocol
eap-mschapv2            Select EAP-MSCHAPV2 as the inner authentication
                        protocol

I'm using 5.0.4.3. Are you aware of any issues with this version?

Both ArubaOS_5.0CRG and ArubaOS_6.0CRG only mention EAP-GTC and EAP-MS-CHAPv2.

---

@arubamonkey wrote:

Tried different browser, still don't see it. Here's a screenshot:

 

http://s17.postimage.org/pgo7zrhhr/EAPTLS.jpg

 

The option doesn't come up in the CLI either.

 

(WLC#1) (802.1X Authentication Profile "TEST-dot1x_prof") #termination inner-eap-type ?
eap-gtc                 Select EAP-GenericTokenCard as the inner
                        authentication protocol
eap-mschapv2            Select EAP-MSCHAPV2 as the inner authentication
                        protocol

 

 

I'm using 5.0.4.3. Are you aware of any issues with this version?

---

Wait.  When you choose TLS, you do not have to choose an inner EAP type.  The screenshot in the doc is incorrect.

I am going by the EAP-TLS document which has this step in 2) b.iv. Which Inner-EAP type does it select by default if neither option is selected?

Yes.  The screenshot in that document has an error.

Thanks a lot man. If I had an award, I would give it to you. :smileyvery-happy:

Hey one last thing, since I have a Master-Local setup and can't change anything on the Local controller, which server cert do I choose in the dot1x profile on the Master controller? Does the Master perform the authentication or the Local? I guess the cert should be for the one that does authentication.

You need to upload  CA as well as server cert on both.   CA cert is the same, but server cert is usually different. Auth occurs on the local, or the master, wherever the AP is connected.

I've uploaded the specific server certs to each controller as well as the same trusted cert on both. In my setup, the APs terminate on the local controller but I can't change the config on the local. So on the Master, do I upload the Local's server cert as well and select that in the dot1x profile since the APs terminate on it?

You should be able to upload the cert for the local on the local, and assign it to the name profile name that is referenced in the master config.

Well, considering I named the server certificates the same on both controllers when I uploaded it, this should cause each controller to select its own server cert, correct? Also, why do I see the "Reference" count for the server cert as still '0' in "Management > Certificates >Upload"?

When you upload the certificate on the master, it asks for a certificate name.  When it is uploaded and you click save config, it should propagate that "name" to the local.  When you go to upload  the server cert  on the local , you should be able to select the propagated name from the master and assign the cert to that.

I don't understand what you mean about propagating the name from the Master. When I upload the cert on the Local, I have the option of giving it any name. Let's say I give it a different name than what the Master's server cert has been given on the Master. My question is, how do I choose this cert on the Local controller in the dot1x profile when I can't even do any configuration on the Local, i.e. everything is greyed out? Obviously, on the Master which controls the configuration, I can't even select the Local's server cert since I didn't upload it on the Master.

The "reference count" for the trusted CA is 1 but it's 0 for the server cert. That tells me that it's not being used. Even though I have both the trusted CA and the server certs selected in the dot1x profile.

(Controller1) #show crypto-local pki serverCert

Certificates
------------
Name                 Original Filename        Reference Count
--------------       -----------------        ---------------
ServerCert               server.cer               0

(Controller1) #show crypto-local pki trustedCA  

Certificates
------------
Name                    Original Filename  Reference Count
--------------          -----------------  ---------------
TrustedCA_Cert          trusted_ca.cer     1

Hey Guys,

I wanted to open a new threat but it's exactly the same like this one, and I just have a few questions about it.

I followed the guide posted by Colin, and I'm trying to authenticate my users in both ways: using a RADIUS server over a Win 2008 Server R2 and using Termination on the controller.

When I use termination the guide outline that the Server Group should be "Internal", so don't I need to configure any policy in my NPS? How the validation of the User Cert works????  In the other hand, when I deactive Termination, Colin mentioned that I just have to configure a policy in the NPS that has "Smartcard or other Certificate", do you have any guide to configure such remote access policy???

Thanks in advance for your help,

César 

When termination is enabled on the controller, the controller will validate that the client has a certificate that is signed by the same Trusted CA cert configured in the dot1x profile.  The client will verify that the controller has a server cert that is signed by a trusted CA cert installed on the client.  Basically, the client and controller verify each other's certs.  The NPS server is NOT involved (unless you check the "check common name in cert against RADIUS (or something close to that)" button.  Then, the controller will pass the name of the user or machine cert to the configured RADIUS server for an authorize only transaction.  If it passes, the user is authenticated.  If it fails, the user is denied WLAN access.

If termination is not enabled, the entire EAP conversation is sent to the configured RADIUS server and the certificates are validated between the RADIUS server and the client.

Does that make sense?

The controller may be able to handle more certificate validations than your NPS server, depending on the resources you have avalable.

Thanks for the explanation olino, now it makes sense... I'm following the guide posted by Colin (File attached - EAP-TLS Termination), the CA issued a certificate for my Win 7 client and the user is in the Domain. In the other hand, my WLAN controller has a valid certificate issued for the trusted CA as well after the CSR request and the TrustedCA cert and IntermediateCA cert (Image attached - Certificates WLAN.jpg), all of the others steps are according to the guide (Termination, dot1x profile, server group, etc), and finally the configuration of my client is attached as well.

May you indicate me where's my mistake??? In the user says: You need a valid digital certificate to join this network...

Thanks in advance,

César

Attachment(s)

EAP-TLS Termination.pdf   2.51 MB 1 version

It sounds like your Windows user certificate is not correct.  The setup for the WLAN looks right. 

You might try to turn off machine authentication (set it to user only) and see if it's an issue with not having a machine certificate.

Hi guys,

Actually I have to perform machine authentication, the CA generated a digital certificate not to the user but to the machine, so do I have to install the machine certificate on each new user that's gonna use the tablet? and do you have any guideline on how to configurate the client to work with digital certificates?

César