Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎07-06-2012

Terminate EAP on Controller to Auth Mobile Devices

Hello,

 

Currently we have an Aruba deployment for mobile devices (various vendors) to connect to wireless infrastructure for mobile application testing.  The current security method in place is WPA2-PSK and mac-authentication on the local database.  I'd like to move away from that setup and move towards a L2 802.1x termination for better management.

 

I understand that you can terminate 802.1x on the controller and we'd most likely do that with a publicly trusted certificate from Verisign.  We'd have both the CA and Server Cert (CSR generated by controller and signed by CA) loaded onto the controller.  My question is is it possible to issue individual certs to the mobile devices via the controller that are associated with the Verisign cert?  And in the situation that a mobile device is compromised can that particular certificate be revoked?  Is this possible to do on the controller?  I'm relatively new at this so I apologize in advance.

 

Thanks,

 

Brian

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Terminate EAP on Controller to Auth Mobile Devices

While you can terminate the 802.1x traffic on the controller, you will need an EXTERNAL CA to issue certificates to clients as well as  an EXTERNAL OCSP responder to validate client certificate status. 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎07-06-2012

Re: Terminate EAP on Controller to Auth Mobile Devices

Ok, thanks for the information.  What do most people use for an external CA?

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Terminate EAP on Controller to Auth Mobile Devices

 

People honestly use what they have and what they are comfortable with.   Maintaining and managing a CA with certificate issuance and revocation is a specialty even in your IT organization and it involves a big learning curve.  

 

Users who are Microsoft Shops use a Microsoft CA and try to work with that.  

 

Many Aruba Customers opt for ClearPass Policy Manager with Onboard which is a Radius Server which can has a built-in CA that  allows you issue and revoke certificates and/or unique credentials to quite a few operating systems :  http://www.arubanetworks.com/products/clearpass/device-management/  If you have VMWARE, it is fairly straightforward to evaluate. If you PM me I can put you in touch with the right people to evaluate it.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 18
Registered: ‎07-06-2012

Re: Terminate EAP on Controller to Auth Mobile Devices

We have actually been given an evaluation copy of Clearpass Policy Manager with Onboard from our sales rep but at this time it's hard to justify the expense for an additional radius server when we already have another vendor providing 802.1x authentication.  Unfortunately that vendor cannot issue / revoke certificates.  Maybe as our environment grows Onboard will become justifiable.  Thanks for the help though!

Search Airheads
Showing results for 
Search instead for 
Did you mean: